Researchers found a new vulnerability in the WP Bakery page builder, which makes it easy for the attackers to change the JavaScript into pages and posts. Attackers first inject code into pages and posts and then they attack site visitor browsers.

Recommendation – WordPress 5.5.1 Is Fixing Issue That Broke Millions Of Websites

Cross-Site Scripting

These types of vulnerabilities are described by the way an attacker trying to get control of the browsers of the visitors by using malicious scripts that are placed on the website surreptitiously. The attack is known as Authenticated Stored Cross-Site Scripting Vulnerability. In this vulnerability, the script is placed by the attacker on its own on the website, but the attacker must have the website credentials for attacking.

According to WordPress:

The plugin also had custom onclick functionality for buttons. This made it possible for an attacker to inject malicious JavaScript in a button that would execute on a click of the button. Furthermore, contributor and author level users were able to use the vc_raw_jsvc_raw_html, and button using custom_onclick shortcodes to add malicious JavaScript to posts.

Affected Page Builder

The issue came to light in July 2020, which WP bakery tried to solve in late August but some of the other problems were still there. The second patch for solving this vulnerability came out in early September which was followed by the final one on September 24, 2020

Plugin developers published a changelog, which is visible in the WordPress admin plugin area which helps to know what update is about.
Leave a Reply

WE ARE TECHNIANS

Latest Articles & video

Good quality, informative articles about the industry

Looking to
Achieve your Goals?

Let us help you
get there!

We're a digital agency focused on
creative and results-driven solutions.

Start With
Submit Form Below