Security News > 2021 > January > Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover

Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover
2021-01-13 19:41

Two vulnerabilities in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.

Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities.

The lack of server-side validation in Orbit Fox means that lower-level contributors, authors and editors for the site could set the user role to that of an administrator upon successful registration - so, all attackers would need to do is register themselves as new users and would then be granted administrator privileges.

In October, two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, were found to open the door to site takeovers.

Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.

Researchers in July warned of a critical vulnerability in a WordPress plugin called Comments - wpDiscuz, which is installed on more than 70,000 websites.


News URL

https://threatpost.com/orbit-fox-wordpress-plugin-bugs/163020/