Colibri Page Builder Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-5038, CVE-2024-4451 | WordPress Plugin Vulnerability Report
Plugin Name: Colibri Page Builder
Key Information:
- Software Type: Plugin
- Software Slug: colibri-page-builder
- Software Status: Active
- Software Author: extendthemes
- Software Downloads: 2,729,511
- Active Installs: 100,000
- Last Updated: June 20, 2024
- Patched Versions: 1.0.277
- Affected Versions: <= 1.0.276
Vulnerability 1 Details:
Name: Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVE: CVE-2024-5038
CVSS Score: 6.4
Publicly Published: June 5, 2024
Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
Description: The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.0.276. This occurs due to inadequate input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts. These scripts execute whenever a user accesses an injected page.
References: Wordfence Advisory
Vulnerability 2 Details:
Name: Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_video_player Shortcode
Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVE: CVE-2024-4451
CVSS Score: 6.4
Publicly Published: June 6, 2024
Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
Description: The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_video_player shortcode in versions up to, and including, 1.0.276. This occurs due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts. These scripts execute whenever a user accesses an injected page.
References: Wordfence Advisory
Summary:
The Colibri Page Builder plugin for WordPress has vulnerabilities in versions up to and including 1.0.276 that include Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode and colibri_video_player Shortcode. These vulnerabilities have been patched in version 1.0.277.
Detailed Overview:
Both vulnerabilities stem from inadequate input sanitization and output escaping within the plugin's shortcodes, allowing authenticated attackers to inject malicious scripts. This could potentially compromise user data and site integrity. Patching to version 1.0.277 addresses these vulnerabilities by implementing stricter validation and sanitization of user inputs.
Advice for Users:
Immediate Action: Update the Colibri Page Builder plugin to version 1.0.277 immediately to mitigate the risk of exploitation for both vulnerabilities.
Check for Signs of Vulnerability: Monitor your website for any unusual script executions or unexpected changes in page behavior that may indicate compromise.
Alternate Plugins: Consider temporarily disabling Colibri Page Builder until the update is applied or explore alternative plugins offering similar functionality with stronger security measures.
Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities and maintain site security.
Conclusion:
The swift response from Colibri Page Builder developers in releasing version 1.0.277 underscores the critical importance of timely updates in safeguarding WordPress sites. Users are strongly advised to ensure they are running version 1.0.277 or newer to protect their installations from potential exploits.
References:
Detailed Report:
In today's digital landscape, the security of your WordPress website is paramount to maintaining trust and safeguarding sensitive information. The recent discovery of vulnerabilities in the Colibri Page Builder plugin serves as a stark reminder of the constant threat posed by cyber attacks. With an extensive user base of 100,000 websites and over 2.7 million downloads, Colibri Page Builder's vulnerabilities, including Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode and colibri_video_player Shortcode, expose websites to potential compromise. This article delves into the specifics of these vulnerabilities, their potential impacts, and offers essential guidance on securing your WordPress site against such threats.
Risks/Potential Impacts:
These vulnerabilities can lead to unauthorized script execution and compromise user data, potentially damaging the reputation and functionality of affected websites.
Previous Vulnerabilities:
Colibri Page Builder has a history of vulnerabilities, including 11 reported since June 22, 2023. Each instance underscores the ongoing need for vigilance in plugin security management.
Conclusion:
The swift response from Colibri Page Builder developers in releasing version 1.0.277 underscores the critical importance of timely updates in safeguarding WordPress sites. As a small business owner, staying informed about plugin vulnerabilities and promptly updating software are essential steps in protecting your website from potential exploits and maintaining trust with your audience.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.