Security News > 2021 > January > Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover
Two vulnerabilities in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities.
The lack of server-side validation in Orbit Fox means that lower-level contributors, authors and editors for the site could set the user role to that of an administrator upon successful registration - so, all attackers would need to do is register themselves as new users and would then be granted administrator privileges.
In October, two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, were found to open the door to site takeovers.
Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.
Researchers in July warned of a critical vulnerability in a WordPress plugin called Comments - wpDiscuz, which is installed on more than 70,000 websites.
News URL
https://threatpost.com/orbit-fox-wordpress-plugin-bugs/163020/
Related news
- Litespeed Cache bug exposes millions of WordPress sites to takeover attacks (source)
- Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access (source)
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution (source)
- LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacks (source)
- Critical Security Flaw Found in LiteSpeed Cache Plugin for WordPress (source)
- Patch now: Critical Nvidia bug allows container escape, complete host takeover (source)