Bold Page Builder Vulnerability – Stored Cross-Site Scripting – CVE-2024-3267 & CVE-2024-3266 | WordPress Plugin Vulnerability Report
Plugin Name: Bold Page Builder
Key Information:
- Software Type: Plugin
- Software Slug: bold-page-builder
- Software Status: Active
- Software Author: BoldThemes
- Software Downloads: 1,754,649
- Active Installs: 50,000
- Last Updated: April 16, 2024
- Patched Versions: 4.8.9
- Affected Versions: <= 4.8.8
Vulnerability 1 Details:
- Name: Bold Page Builder <= 4.8.8
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_price_list Shortcode
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-3267
- CVSS Score: 6.4
- Publicly Published: April 5, 2024
- Researcher: stealthcopter
- Description: The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_price_list shortcode in all versions up to, and including, 4.8.8 due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers, with contributor-level access and above, can inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.
Vulnerability 2 Details:
- Name: Bold Page Builder <= 4.8.8
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget URL Attribute
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-3266
- CVSS Score: 6.4
- Publicly Published: April 5, 2024
- Researcher: wesley
- Description: The Bold Page Builder plugin is also vulnerable to Stored Cross-Site Scripting via the URL attribute of widgets in all versions up to, and including, 4.8.8. This vulnerability stems from insufficient input sanitization and output escaping, allowing authenticated attackers to inject arbitrary web scripts that execute on accessing an injected page.
Summary:
The Bold Page Builder for WordPress has vulnerabilities in versions up to and including 4.8.8 that allow for Stored Cross-Site Scripting through both shortcode and widget URL attributes. These vulnerabilities have been patched in version 4.8.9.
Detailed Overview:
The vulnerabilities identified by researchers stealthcopter and wesley involve insufficient input sanitization and output escaping, critical in web security to prevent XSS attacks. Both vulnerabilities permit injected scripts to persist within the website's content, posing risks such as data theft, session hijacking, and unauthorized actions on behalf of the users. Prompt updates to the latest software version alongside thorough reviews of user roles and permissions are necessary for remediation.
Advice for Users:
- Immediate Action: Update to the patched version 4.8.9 immediately.
- Check for Signs of Vulnerability: Regularly review your website's content for unexpected script elements and monitor user roles to ensure only trusted users have contributor-level access or higher.
- Alternate Plugins: Consider other reputable page builder plugins if you frequently encounter security issues with your current plugin.
- Stay Updated: Ensure that all your website's plugins are regularly updated to protect against known vulnerabilities.
Conclusion:
The quick response by BoldThemes to address these vulnerabilities through updates highlights the importance of keeping digital tools up to date. Users are strongly advised to upgrade to version 4.8.9 or later to secure their WordPress installations against these XSS vulnerabilities.
References:
- WordFence - Vulnerability in Bold Page Builder via bt_bb_price_list Shortcode
- WordFence - Vulnerability in Bold Page Builder via Widget URL Attribute
Detailed Report:
Introduction:
In the digital realm, the security of your WordPress website hinges crucially on the plugins you install. Recent findings have spotlighted vulnerabilities in the Bold Page Builder plugin, a popular tool utilized by over 50,000 websites, which underscore this point vividly. Versions up to and including 4.8.8 have been compromised by Stored Cross-Site Scripting vulnerabilities, identified as CVE-2024-3267 and CVE-2024-3266. These flaws allow attackers, even those with only contributor-level access, to inject harmful scripts that execute on victim pages, putting user data and website integrity at serious risk. As vulnerabilities like these can lead to data theft, session hijacking, and unauthorized actions, keeping your software up to date is not just recommended; it's imperative for safeguarding your online presence. This post aims to dissect these vulnerabilities, offer remedial advice, and serve as a resource for website owners looking to enhance their security posture in an increasingly perilous cyber landscape.
Vulnerability Overview:
- CVE-2024-3267: This vulnerability stems from insufficient sanitization of the bt_bb_price_list shortcode, allowing authenticated users with at least contributor privileges to embed arbitrary scripts into pages. These scripts are then executed when other users or administrators view the affected pages.
- CVE-2024-3266: Similarly, this flaw involves the URL attribute of widgets, where scripts injected by contributors are executed on the client side without the user's knowledge, leading to potential data breaches or further exploitation of the site's backend.
Risks and Impacts:
The identified vulnerabilities allow attackers to manipulate web pages and potentially gain unauthorized access to sensitive information, compromising both user trust and the operational integrity of the website. In scenarios where attackers escalate their privileges, the entire site could be at risk, leading to potential data loss or hijacking of the site for malicious purposes.
Remediation Steps:
- Immediate Update: Upgrade immediately to version 4.8.9 of Bold Page Builder, which addresses these vulnerabilities.
- Audit User Roles: Ensure that only trusted users have access to higher privileges such as contributor roles or above.
- Regular Monitoring: Frequently check your website for unusual activities or unauthorized script insertions, especially in posts and widgets.
Historical Vulnerabilities:
Since August 23, 2019, Bold Page Builder has encountered eight documented vulnerabilities, highlighting the importance of regular updates and continuous monitoring of security advisories related to your WordPress installations.
Conclusion:
The swift response from BoldThemes to patch the vulnerabilities in Bold Page Builder serves as a critical reminder of the importance of maintaining up-to-date installations of all software on your website. For small business owners, automating updates where possible, subscribing to security blogs, and using trusted security plugins can significantly reduce the risk of vulnerabilities. Remember, the security of your website not only protects your business but also safeguards your customers, fostering a trustworthy digital environment.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.