Researchers are urging WordPress administrators to patch two new vulnerabilities discovered in a popular plugin that have been downloaded over a million times.
If an attacker is able to trick an admin into clicking on a phishing link or opening a booby-trapped attachment, they could gain full remote control of the site, warned Wordfence threat analyst, Chloe Chamberland.
The security vendor notified plugin developer Site Origin, whose Page Builder software is affected, on May 4, with the firm releasing a patch a day later.
The plugin itself is designed to simplify page and post editing in WordPress, via features like a live editor.
Both discovered flaws are cross-site request forgery to reflected cross-site scripting vulnerabilities with a CVSS score of 8.8, making them high severity. They affect versions of Page Builder up to and including 2.10.15.
“Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” noted Chamberland. “[They] could be used to redirect a site’s administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site.”
Users are urged to upgrade to version 2.10.16 of Page Builder as soon as possible to mitigate the threat.
The news comes just days after Wordfence notified WordPress administrators of a spike in attack traffic targeting cross-site scripting vulnerabilities in various plugins and themes.
The firm detected a 30-fold increase in attack traffic over the previous month, with attacks on more than 900,000 sites, from over 24,000 different IP addresses, all from the same malicious actor.
Designed to achieve remote control of targeted sites, the attacks may change slightly over time as the hacker pivots to using other vulnerabilities, Wordfence warned.