WordPress plugin bugs can let hackers take over almost 1M sites
WordPress plugin bugs can let hackers take over almost 1M sites

Written by / Courtesy of Bleeping Computer

Two high severity vulnerabilities found in the Page Builder WordPress plugin installed on more than 1,000,000 sites can let hackers create new admin accounts, plant backdoors, and ultimately take over the compromised websites.

The vulnerabilities are a Cross-Site Request Forgery (CSRF) leading to Reflected Cross-Site Scripting (XSS) attacks and they affect all Page Builder versions up to and including 2.10.15.

Attackers can exploit these security flaws by tricking WordPress site administrator into clicking specially crafted links or attachments and execute malicious code in their browsers, as well as forge requests on their behalf.

Page Builder is a popular plugin developed by SiteOrigin to help users easily build responsive grid page content using a widget-based page creating editor.

Malicious code injection

The two Page Builder security vulnerabilities are rated as high severity by Wordfence’s Threat Intelligence team who discovered them and reported the issues to the plugin’s developers on May 4.

The development team released a patch to fix both security issues the next day, on May 5, by adding nonce checks to both the Live Editor feature and the builder_content action were the two bugs were found.

As the researchers explain, exploiting the two bugs can “be used to redirect a site’s administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site.”

Attackers who know what they’re doing can also fully take over compromised WordPress websites once they create rogue admin accounts and plant backdoors for maintaining access.

Millions of WordPress sites waiting for patches

Page Builder’s development team updated the plugin to 2.10.16 almost a week ago to fix the two security flaws and users are urged to patch their installations to avoid attacks.

However, just over 220,000 of all 1 million users have updated their Page Builder installation to the last, patched version since its release last week.

Starting with May 6, Hackers are exploiting two other vulnerabilities in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins to remotely execute arbitrary code and fully compromising unpatched targets.

Another series of attacks against over 900,000 WordPress sites started on April 28 with the attackers attempting to redirect visitors to malvertising sites or plant backdoors if their admins are logged in. 

The threat actor behind these attacks was observed while using at least 24,000 IP? addresses to deliver malicious requests to over 900,000 sites, with over 20 million attacks having been launched against more than half a million sites on May 3rd alone.

To mitigate these attacks, WordPress admins should immediately update their plugins to patch the vulnerabilities threat actors could exploit to compromise their sites.

Read the original article over at BleepingComputer.com.