Home SEO News XSS vulnerability affects Beaver Builder WordPress Page Builder

XSS vulnerability affects Beaver Builder WordPress Page Builder

Apr 02, 2024 0 Comments
Beaver Builder WordPress plugin vulnerability

The popular Beaver Builder WordPress Page Builder was found to contain an XSS vulnerability that could allow an attacker to inject scripts into the website that will be executed when a user visits a web page.

Beaver builder

Beaver Builder is a popular plugin that allows anyone to create a professional-looking website using an easy-to-use drag-and-drop interface. Users can start with a pre-designed template or build a website from scratch.

Stored Cross Site Scripting (XSS) vulnerability

Wordfence security researchers published an advisory regarding an XSS vulnerability affecting the Page Builder plugin. Typically, an XSS vulnerability is in a part of a theme or plugin that allows user input. The defect arises when there is insufficient filtering of what can be introduced (a process called inlet disinfection). Another flaw that leads to XSS is insufficient output escaping, which is a security measure in the output of a plugin that prevents malicious scripts from passing through to a web browser.

This specific vulnerability is called stored XSS. Stored means that an attacker can inject a script directly into the web server. This is different from reflected XSS which requires the victim to click on a link on the attacked website to execute a malicious script. A stored XSS (as it affects Beaver Builder), is generally considered more dangerous than a reflected XSS.

The security flaws that resulted in an XSS vulnerability in Beaver Builder were due to insufficient sanitization of input and output.

Wordfence described the vulnerability:

“The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to cross-site scripts stored via the plugin’s Button widget in all versions up to and including 2.8.0.5 due to insufficient sanitization of input and output escape to user-supplied attributes This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages that will be executed whenever a user accesses to an injected page”.

The vulnerability has a rating of 6.4, a medium threat level. Attackers must obtain at least contributor-level permission levels in order to launch an attack, which makes this vulnerability somewhat more difficult to exploit.

the officer Beaver Builder changelogwhich documents the contents of an update, notes that a patch was released in version 2.8.0.7.

The changelog notes:

“Fix XSS issue in button modules and buttongroups when using lightbox”

Recommended Action: It is generally a good practice to update and patch a vulnerability before an attacker can exploit it. It’s a good practice to stage your site first before pushing a live update in case the updated plugin conflicts with another plugin or theme.

Read the Wordfence notice:

Beaver Builder – WordPress Page Builder <= 2.8.0.5 - Authenticated Stored Cross-Site Script (Contributor+) via Button

Featured image by Shutterstock/Prostock-studio

[ad_2]

Source link

You May Also Like

Las Vegas SEO Co Announces Premier SEO Consultancy Services

Las Vegas SEO Co announces first SEO consulting services

Small seo tools plagiarism checker

Get the highest rank with a small online SEO tool

Local Marketing

The importance of local marketing for home service businesses

MAKE AN IMPACT WITH ADVANCED GENERATIVE ENGINE OPTIMIZATION

Google's advice on fixing broken links for SEO

Google’s unconventional tips for fixing broken backlinks

All the SEO Secrets: The CEO's Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

All the SEO Secrets: The CEO’s Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

About the Author: Ted Simmons

I follow and report the current news trends on Google news.

Leave a Reply

Your email address will not be published. Required fields are marked *