Developers issue patch just 24 hours after disclosure

WordPress administrators whose sites use the Page Builder plugin have been urged to update to the latest version (2.10.16) following the recent discovery of two security vulnerabilities.

Earlier this month, the Wordfence Threat Intelligence team discovered two security flaws in Page Builder, a responsive page creation plugin with more than one million active installations.

The duo of exploits leveraged separate cross-site request forgery (CSRF) vulnerabilities, both of which opened the door to reflected cross-site scripting (XSS).

Earning a CVSS score of 8.8, the pair of chained vulnerabilities could allow attackers to forge requests and execute malicious code in the administrator’s browser, potentially leading to full WordPress site takeover.

“This flaw could be used to redirect a site’s administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site,” Wordfence explained.

Rapid patch

Both CSRF-to-XSS vulnerabilities affect Page Builder versions up to and including 2.10.15.

Fortunately, the developer of the plugin, SiteOrigin, was quick to acknowledge the bugs, with the company issuing a fix in just 24 hours.

“These flaws have been fully patched in version 2.10.16,” Wordfence explained in a blog post. “We recommend that users immediately update to the latest version available.”


READ MORE WordPress 5.4 lands with enhanced privacy controls