Researchers found a new vulnerability in the WP Bakery page builder, which makes it easy for the attackers to change the JavaScript into pages and posts. Attackers first inject code into pages and posts and then they attack site visitor browsers.
Recommendation – WordPress 5.5.1 Is Fixing Issue That Broke Millions Of Websites
Cross-Site Scripting
These types of vulnerabilities are described by the way an attacker trying to get control of the browsers of the visitors by using malicious scripts that are placed on the website surreptitiously. The attack is known as Authenticated Stored Cross-Site Scripting Vulnerability. In this vulnerability, the script is placed by the attacker on its own on the website, but the attacker must have the website credentials for attacking.
According to WordPress:
The plugin also had custom onclick functionality for buttons. This made it possible for an attacker to inject malicious JavaScript in a button that would execute on a click of the button. Furthermore, contributor and author level users were able to use the
vc_raw_js
,vc_raw_html
, and button usingcustom_onclick
shortcodes to add malicious JavaScript to posts.
Affected Page Builder
The issue came to light in July 2020, which WP bakery tried to solve in late August but some of the other problems were still there. The second patch for solving this vulnerability came out in early September which was followed by the final one on September 24, 2020