Researchers have identified a vulnerability in WP Bakery page builder that enables attackers to inject malicious JavaScript into pages and posts. This vulnerability allows an attacker to insert code that subsequently targets site visitors’ browsers.
Authenticated Stored Cross-Site Scripting (XSS) Vulnerability
Cross-site scripting vulnerabilities occur when an attacker gains the ability to target visitors’ browsers via malicious scripts covertly placed on a website.
XSS attacks are among the most common types of vulnerabilities.
This particular attack, known as an Authenticated Stored Cross-Site Scripting Vulnerability, involves placing a script directly on the website by an attacker. Notably, it requires the attacker to have website credentials to execute the attack.
This requirement makes the vulnerability less severe since the attacker must first acquire credentials.
WP Bakery Authenticated Stored XSS Vulnerability
To exploit this WP Bakery vulnerability, the attacker must have contributor or author-level posting credentials. Once credentials are obtained, the attacker can inject scripts into any posts or pages and even alter posts created by other users.
The vulnerability comprises multiple flaws that allow HTML and JavaScript injection into credentialed users’ posts and pages, as well as those of other authors. Additionally, a specific flaw targeted buttons with attached JavaScript functionality.
According to WordFence:
“The plugin also had custom onclick functionality for buttons. This made it possible for an attacker to inject malicious JavaScript in a button that would execute on a click of the button. Furthermore, contributor and author level users were able to use the vc_raw_js, vc_raw_html, and button using custom_onclick shortcodes to add malicious JavaScript to posts.”
WP Bakery Page Builder Versions 6.4 and Under Are Affected
The vulnerability was discovered in late July 2020. WP Bakery released a patch in late August, but subsequent problems persisted, necessitating another patch in early September. The final patch that resolved the vulnerability was issued on September 24, 2020.
Plugin developers maintain a changelog that details updates. However, WP Bakery’s changelog does not clearly indicate the urgency of these updates as it describes the vulnerability patches as improvements rather than explicitly mentioning the security threat.
Screenshot of WP Bakery Page Builder Changelog
The WP Bakery Page Builder plugin is commonly included in themes. Publishers should ensure they are using the latest, secure version, 6.4.1.
Citations
Vulnerability Exposes Over 4 Million Sites Using WPBakery
WP Bakery Page Builder Changelog
