Vulnerabilities Patched in WP Page Builder

On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any logged-in user could add malicious JavaScript to any post, potentially resulting in site takeover.

We initially contacted Themeum, the plugin’s publisher, on February 15, 2021 and received a response that evening. We provided full disclosure the next day, on February 16, 2021. A patched version of the plugin was made available on March 17, 2021. In a laudable display of transparency, Themeum released a blog post the same day about the security issues fixed in the update.

Wordfence Premium users received a firewall rule protecting against these vulnerabilities on February 15, 2021. Sites still running the free version of Wordfence received the same protection 30 days later, on March 17, 2021.

WP Page Builder is a site designer that allows easy visual editing of posts and pages. One feature that it included was the ability to block specific roles from editing posts and pages.

Unfortunately, no roles were blocked by default, including subscriber-level roles. This meant that any user able to log into a site running WP Page Builder, including subscribers and customers, could access the visual editor simply by visiting the post editor’s URL for a given post or page and supplying wppb_editor in the action parameter. Once in the visual editor, these users could make and publish changes to existing posts and pages despite lacking the permissions normally required to do so.

While the ability of untrusted users to edit posts and pages would be a nuisance on its own, it was also possible for any logged-in user to add malicious JavaScript to any post or page via the visual editor. This could be done through both the “Raw HTML” widget and the “Custom HTML” widgets. JavaScript could be added directly to the “Raw HTML” widget via the User Interface. Adding JavaScript to the “Custom HTML” widget required sending a crafted request via the page_builder_data parameter when performing the wppb_page_save AJAX action, which is used by the plugin to save changes to a post. It was also possible to insert malicious JavaScript via the wppb_page_css parameter when sending a crafted wppb_page_save AJAX request.

As with any stored Cross-Site Scripting vulnerability, malicious JavaScript injected this way could be used to insert malicious administrators or add a backdoor if a logged-in administrator visited an affected page, leading to site takeover. The fact that any logged-in user, including customers and subscribers, could use this technique for privilege escalation significantly increases the risk of this vulnerability being exploited.

Timeline

February 15, 2021 – Wordfence Threat Intelligence finishes researching vulnerabilities in the WP Page Builder plugin. We release a firewall rule to our premium customers and initiate contact with Themeum, the plugin publisher.
February 16, 2021 – We provide full disclosure to Themeum.
March 17, 2021 – A patched version of the plugin is made available, and the firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we covered 2 vulnerabilities in WP Page Builder that collectively allowed any logged-in user the ability to change site content and add malicious JavaScript to a site. We strongly recommend updating to the latest version available, which is 1.2.5 at the time of this writing.

Wordfence Premium users have been protected against these exploits since February 15, 2021. Sites still running the free version of Wordfence received the same protection on March 17, 2021.

If you know anyone using this plugin, please forward this advisory to them and encourage them to make sure they’ve updated to the latest version available, as this vulnerability has been public since the plugin was updated.

Special thanks to Themeum for their exemplary handling of these vulnerabilities.