Possibly harmful vulnerabilities were discovered on a WordPress plugin that could affect more than 90,000 websites, security firm Wordfence revealed.
Wordfence's Threat Intelligence team spotted the problem last August, but while a bug fix was released, several installations of the WordPress plugin might not have been patched. Once hackers exploit this WordPress security risk, they could make a "complete site takeover" and place malicious code to uploaded posts.
WordPress Security Risk: Vulnerabilities Allow Users to Modify Pages, Posts
These vulnerabilities could allow users to become super admins, permitting them to modify pages and posts, even if they have already been published, TechCentral posted. Wordfence said it found out about the vulnerability as they made a routine firewall check last July. The company said the Brizy Page Builder "did not appear" to be under attack, but its researchers were led to believe something was wrong with the "unusual traffic."
The Brizy Page Building plugin utilized functions that would allow unauthorized administrative access, with users passing authorization checks as an administrator, thus bypassing other capability tests in the plugin. Due to what Wordfence describes as a "logic flaw," being logged in and reaching any endpoint in the wp-admin directory was enough to pass this check.
This flaw would allow users or subscribers to modify any page or post created and edited by the Brizy editor, even if it had been published.
Such odd site behavior led researchers to "discover two new vulnerabilities," including one that had been previously patched in the plugin "that had been reintroduced," Wordfence said in a blog post. These vulnerabilities could allow hackers to make a complete site takeover, Wordfence added.
While the plugin does not allow lower-privileged users, such as contributors, to add JavaScript to page content, they could change a request sent to update a page by including JavaScript to the data parameter. If the post is viewed or previewed by a separate user, such as an administrator, the JavaScript would then be executed.
WordPress Security Risk: Bug Could Allow Low-End Contributors to Add Malicious JavaScript to Any Page
Because of the authorization check vulnerability, even contributors could add malicious JavaScript to any page, thus allowing the site takeover. JavaScript running in an administrator session would allow hackers to do such tasks as adding more administrators, upgrading the privileges of existing users, or adding backdoor functionality to current plugin or theme files, Wordfence added.
Exploiting this vulnerability as a subscriber would still necessitate the submission of a request that contains valid "hash" and "editor-version" parameters, but these are mirrored on dashboard pages subscribers can access. The sole parameter a hacker would need to guess when altering a page is the "dataVersion" parameter, which consists of an incrementing integer starting at 1, that is easily deduced in a few moments after recurrent requests.
In addition, it is also possible for subscribers to upload executable files to a site location of their choice using the AJAX action, "brizly_create_block_screenshot."
The patched version of the Brizy Page Builder plugin has been released in August, just a few days after Wordfence discovered the vulnerability. The company "strongly recommends" that site owners immediately update to the latest 2.3.17 version of the plugin.