The popular Beaver Builder WordPress Page Builder was found to contain an XSS vulnerability that can allow an attacker to inject scripts into the website that will run when a user visits a webpage.
Beaver Builder
Beaver Builder is a widely-used plugin that enables anyone to create a professional-looking website using an easy-to-use drag-and-drop interface. Users can start with a predesigned template or create a website from scratch.
Stored Cross-Site Scripting (XSS) Vulnerability
Security researchers at Wordfence published an advisory about an XSS vulnerability affecting the page builder plugin. An XSS vulnerability is typically found in a part of a theme or plugin that allows user input. The flaw arises when there is insufficient filtering of what can be input (a process called input sanitization). Another flaw that leads to an XSS is insufficient output escaping, which is a security measure on the output of a plugin that prevents harmful scripts from being passed to a website browser.
This specific vulnerability is called a Stored XSS. Stored means that an attacker is able to inject a script directly onto the web server. This is different from a reflected XSS, which requires a victim to click a link to the attacked website to execute a malicious script. A stored XSS (as affects Beaver Builder) is generally considered to be more dangerous than a reflected XSS.
The security flaws that gave rise to an XSS vulnerability in Beaver Builder were due to insufficient input sanitization and output escaping.
Wordfence described the vulnerability:
“The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Button Widget in all versions up to, and including, 2.8.0.5 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
The vulnerability is rated 6.4, a medium-level threat. Attackers must gain at least contributor-level permission to be able to launch an attack, which makes this vulnerability a bit harder to exploit.
The official Beaver Builder changelog, which documents what’s contained in an update, notes that a patch was issued in version 2.8.0.7.
The changelog notes:
“Fix XSS issue in Button & Button Group Modules when using lightbox”
Recommended action: It’s generally a good practice to update and patch a vulnerability before an attacker is able to exploit it. It’s a best-practice to stage the site first before pushing an update live in case the updated plugin conflicts with another plugin or theme.
Read the Wordfence advisory:
Beaver Builder – WordPress Page Builder <= 2.8.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Button
See also:
- The WordPress Security Guide To Keep Your Site Safe
- WordPress Security: 16 Steps to Secure & Protect Your Site
Featured Image by Shutterstock/Prostock-studio