Security News > 2020 > May > WordPress Page Builder Plugin Bugs Threaten 1 Million Sites with Full Takeover

WordPress Page Builder Plugin Bugs Threaten 1 Million Sites with Full Takeover
2020-05-12 16:03

Page Builder by SiteOrigin, a WordPress plugin with a million active installs that's used to build websites via a drag-and-drop function, harbors two flaws that can allow full site takeover.

"If the user is in the live editor, the siteorigin panels live editor parameter will be set to 'true' and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content."

The bugs affect Page Builder by SiteOrigin version 2.10.15 and below; to avoid full site takeover, admins should upgrade their plugins to version 2.10.16.

Two vulnerabilities - including a high-severity flaw - were patched in a popular WordPress plugin called Popup Builder.

In February, popular WordPress plugin Duplicator, which has more than 1 million active installations, was discovered to have an unauthenticated arbitrary file download vulnerability that was being attacked.


News URL

https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 95 44 18 159
Plugin 2 0 13 1 0 14