More than 200K websites are exposed to high-severity vulnerabilities in PageLayer WordPress plugin

Hey, guys! How is everybody doing today? Happy and healthy, hopefully :)

Just the word ‘WordPress’ would make any cybersecurity professional roll their eyes in mild exasperation, thinking “here we go again...” That’s how many vulnerabilities are found in WordPress. 

                             

For those who have no idea what’s the number of vulnerabilities we’re looking at, here’s a page that details all the vulnerabilities/CVEs found in WordPress. It’s not updated with the latest vulnerabilities just yet but look at the total number of vulnerabilities. 294 is a big number!   

Today’s blog is going to be about the latest vulnerabilities found in a WordPress plugin, PageLayer, that pose a threat to more than 200, 000 websites. Team WordFence discovered 2 different high-severity vulnerabilities in the PageLayer WordPress plugin.

Vulnerability #1

With a CVSS score of 7.4, this bug was present due to the lack of permission checks on all AJAX endpoints in the plugin. As a result, a user - regardless of the access levels they’ve been assigned to - can carry out any action. For better understanding, this vulnerability will allow even a subscriber-level user to modify a sites’ contents. 

Team WordFence says: 

“These AJAX endpoints only checked to see if a request was coming from /wp-admin through an authenticated session and did not check the capabilities of the user sending the request.”

**The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the 
characteristics and severity of software vulnerabilities. The National Vulnerability Database
NVD) provides CVSS scores for almost all known vulnerabilities. The screencap below demonstrates
the scoring system.

                    

Vulnerability #2

This vulnerability has a CVSS score of 8.8 and was found in the plugin because it didn’t have CSRF protection. This vulnerability will allow an attacker to inject malicious scripts to the site pages, that would execute whenever there’s any activity in the page. 

**Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted 
actions on a web application in which they’re currently authenticated.

If you want to know technical details about these vulnerabilities, here’s a video by Wordfence. 

Are they patched?

Yes, they are.

The WordFence team got in touch with the developers of the plugin to inform them of the newly-found vulnerabilities. The developers then worked on fixes that addressed both the vulnerabilities. 

For the first vulnerability, permission checks on all functions linked with site changes and addition of nonces for separate public and admin access were implemented. With regards to the second vulnerability, CSRF protection was implemented. 

Both fixes were released with Page Builder: PageLayer version 1.1.2. However, the developers worked on more improvements ever since. Currently, the latest version available is 1.1.4. Users are urged to upgrade to the latest plugin version to receive all updates. 





That’s it for the blog today, y’all! I hope my non-technical reader found the additional notes I made for them useful. Feel free to drop comments and share this blog if you found it interesting.

Stay safe and stay tuned. 

Until next time, friends!

Credits: Wordfence

Add comment