Concerns over Insecure WordPress Plugins: To Be or Not to Be

Researchers have disclosed a slew of vulnerabilities that may have allowed thousands of WordPress sites to be taken over.

The flaws were discovered in Brizy – Page Builder, a WordPress plugin used by more than 90,000 websites. Although a solution was published shortly after, it’s likely that many installations remain unpatched.

The researchers discovered six vulnerabilities in the WordPress framework, all of which are remotely exploitable.

One chain of flaws, when triggered, may allow attackers to execute “full site takeover” and inject malicious JavaScript into existing entries. Another vulnerability can be used to upload executable documents and achieve remote code execution separately.

The Brizy – Page Builder vulnerabilities fall in the moderate (6.4) to severe (8.8) range according to the Common Vulnerability Scoring System (CVSS).

An application vulnerability has been discovered in the WordPress plugin.

When the researchers noticed unusual traffic linked to the Brizy – Page Builder plugin, they became aware of a potential problem.

Despite the fact that the plugin was not being targeted at that time, the group was able to identify a number of related flaws.

“[The unusual traffic] led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced,” Wordfence explained. “Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover.”

The nature of these flaws made any registered user (including subscribers) potentially an administrator and modify postings and pages, even if they had already been published to the site. In early June, Wordfence discovered the problems.

After a complete investigation was conducted, the experts disclosed the vulnerabilities to the vendor in mid-August, and a full fix was provided roughly a week later.

WordPress users are encouraged to upgrade the Brizy – Page Builder plugin to the most recent version (2.3.17) as soon as possible to avoid being hacked.