Plugin Exploit

WPBakery WordPress plugin fixes a critical vulnerability that affected over 4.3 million sites

Published on: October 8, 2020

WPBakery WordPress plugin fixes a critical vulnerability that affected over 4.3 million sites

Recently, a critical Authenticated Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress page builder plugin WPBakery that could allow authenticated hackers to inject malicious JavaScript into the site’s content pages and posts. The vulnerability can further allow hackers to modify user privileges and even plant backdoors in the compromised sites.

This Blog Includes show

Websites that are using Astra Security Firewall are already secured from this vulnerability exposure.

WPBakery is a drag and drop page builder for WordPress and Prestashop that also claims to provide a backend interface for site users to quickly build pages, posts, and custom post types with its backend editor.

Image: WPBakery page builder content elements (WPBakery)

The WPBakery plugin is currently used by more than 4.3 million website owners and any of these websites could be easily hacked due to this vulnerability and if their plugin is not updated to its latest version

The vulnerable versions of the WPBakery WordPress plugin are <= version 6.4.

Researchers discovered an Authenticated Stored Cross-Site Scripting (XSS) vulnerability (with CVSS Score of 6.4) in the WPBakery plugin on July 27, 2020, and reported it to the plugin developers on July 28. The WPBakery team then released an initial patch on August 21, 2020, but it is still had minor problems that required fixing to completely prevent this vulnerability exploits. Now, after 2 months the WPBakery finally released a final patched version of the plugin on September 24.

The plugin was designed with a flaw that could give “users with contributor and author level roles” the ability to inject malicious HTML & JavaScript into pages and posts using the WPBakery page builder, reads the report by researchers. In the latest version of the plugin, this flaw is fixed.

It is recommended to update the plugin to its latest version i.e. v 6.4.1 to prevent against Cross-site scripting (XSS) attacks on your WordPress site.

Also, do share this advisory with your friends and colleagues who are using WPBakery plugin on their site because there could be significant damage to their vulnerable site if their plugin is not updated.

Further, having a web application firewall (WAF) on your website always helps. A WAF can provide security against such potential vulnerabilities in your site files, plugins & themes.

How Astra Firewall works on your website

Astra Security WAF filters malicious traffic and provides intelligent protection to your website. It blocks XSS, SQLi, CSRF, bad bots, OWASP top 10 & 100+ other cyber attacks. This intelligent firewall detects visitor patterns on your website & automatically blocks hackers with malicious intent.


Was this post helpful?

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany