Recently, a critical Authenticated Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress page builder plugin WPBakery that could allow authenticated hackers to inject malicious JavaScript into the site’s content pages and posts. The vulnerability can further allow hackers to modify user privileges and even plant backdoors in the compromised sites.
Websites that are using Astra Security Firewall are already secured from this vulnerability exposure.
WPBakery is a drag and drop page builder for WordPress and Prestashop that also claims to provide a backend interface for site users to quickly build pages, posts, and custom post types with its backend editor.
The WPBakery plugin is currently used by more than 4.3 million website owners and any of these websites could be easily hacked due to this vulnerability and if their plugin is not updated to its latest version
The vulnerable versions of the WPBakery WordPress plugin are <= version 6.4.
Researchers discovered an Authenticated Stored Cross-Site Scripting (XSS) vulnerability (with CVSS Score of 6.4) in the WPBakery plugin on July 27, 2020, and reported it to the plugin developers on July 28. The WPBakery team then released an initial patch on August 21, 2020, but it is still had minor problems that required fixing to completely prevent this vulnerability exploits. Now, after 2 months the WPBakery finally released a final patched version of the plugin on September 24.
The plugin was designed with a flaw that could give “users with contributor and author level roles” the ability to inject malicious HTML & JavaScript into pages and posts using the WPBakery page builder, reads the report by researchers. In the latest version of the plugin, this flaw is fixed.
It is recommended to update the plugin to its latest version i.e. v 6.4.1 to prevent against Cross-site scripting (XSS) attacks on your WordPress site.
Also, do share this advisory with your friends and colleagues who are using WPBakery plugin on their site because there could be significant damage to their vulnerable site if their plugin is not updated.
Further, having a web application firewall (WAF) on your website always helps. A WAF can provide security against such potential vulnerabilities in your site files, plugins & themes.
Astra Security WAF filters malicious traffic and provides intelligent protection to your website. It blocks XSS, SQLi, CSRF, bad bots, OWASP top 10 & 100+ other cyber attacks. This intelligent firewall detects visitor patterns on your website & automatically blocks hackers with malicious intent.
.