Two Vulnerabilities Patched in WP Page Builder

On February 15, 2021, Two vulnerabilities in WP Page Builder were identified by the Wordfence Threat Intelligence Team, allowing any logged-in user, including subscribers, to edit site content and inject malicious JavaScript. WP Page Builder, a plugin used by over 10,000 websites. By default, any logged-in user, including subscribers, may access the page builder’s editor and make changes to existing posts on the site due to these vulnerabilities. Furthermore, any logged-in user could inject malicious JavaScript into any blog, resulting in a site takeover.

On February 15, 2021, the team contacted Themeum, the plugin’s publisher, and received a response that evening. The next day, on February 16, 2021, they made full disclosure.

On March 17, 2021, a patched version of the plugin was released. Themeum published a blog post about the security problems fixed in the update the same day, in a commendable show of accountability.

If a logged-in administrator visited an affected website, malicious JavaScript inserted this way could be used to insert malicious administrators or add a backdoor, leading to site takeover, much like every other stored Cross-Site Scripting vulnerability. Since any logged-in user, including clients and subscribers, may use this technique for privilege escalation, the risk of this vulnerability being exploited is dramatically increased.

If you know someone who uses this plugin, please share this update with them and ask them to update to the most recent version available, as this vulnerability has been known since the plugin was updated.


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.