Colibri Page Builder Vulnerability – Cross-Site Request Fogery – CVE-2024-1362, CVE-2024-1361 | WordPress Plugin Vulnerability Report

Plugin Name: Colibri Page Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: colibri-page-builder
  • Software Status: Active
  • Software Author: extendthemes
  • Software Downloads: 2,380,495
  • Active Installs: 100,000
  • Last Updated: February 22, 2024
  • Patched Versions: 1.0.260
  • Affected Versions: <= 1.0.253

Vulnerability Details:

  • Name: Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via cp_shortcode_refresh
  • Title: Cross-Site Request Fogery via cp_shortcode_refresh
  • Type: Cross-Site Request Forgery (CSRF)
  • CVE: CVE-2024-1362
  • CVSS Score: 4.3 (Medium)
  • Publicly Published: February 22, 2024
  • Researcher: Lucio Sá
  • Description: The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.


The Colibri Page Builder for WordPress has a vulnerability in versions up to and including 1.0.253 that allows unauthenticated attackers to execute arbitrary shortcodes or call some plugin functions via forged requests. This vulnerability has been patched in version 1.0.260.

Detailed Overview:

The Colibri Page Builder plugin did not correctly validate nonces (number used once) on the cp_shortcode_refresh() and apiCall() functions in versions up to and including 1.0.253. This makes it possible for attackers to forge requests to these functions without needing to be authenticated users. Via cp_shortcode_refresh(), attackers could potentially execute harmful shortcodes if they trick an administrator into clicking a link. Via apiCall(), attackers have access to import images, delete posts, or modify theme data. These vulnerabilities open sites using vulnerable versions of Colibri Page Builder to potential compromise.

These issues were reported by researcher Lucio Sá and have been patched by the developers in version 1.0.260, which was released on February 22, 2024. The vulnerabilities were assigned CVE-2024-1362 (cp_shortcode_refresh issue) and CVE-2024-1361 (apiCall issue).

Advice for Users:

  1. Immediate Action: Update to version 1.0.260 or later to patch this vulnerability.
  2. Check for Signs of Vulnerability: Review your site's logs for any suspicious activity involving the Colibri Page Builder plugin functions.
  3. Alternate Plugins: Consider using alternate page builder plugins like Elementor or Beaver Builder if you have concerns.
  4. Stay Updated: Always keep your WordPress plugins updated to the latest versions.


These vulnerabilities found by Lucio Sá serve as an important reminder for developers to properly validate nonces and perform strict input sanitization on plugin functions. Users of the Colibri Page Builder plugin on WordPress sites should update as soon as possible to version 1.0.260 or later. Staying up-to-date with security patches is essential to securing WordPress sites against threats.


Detailed Report:

Keeping your WordPress website secure should be a top priority for any website owner. Unfortunately, vulnerabilities in plugins like the popular Colibri Page Builder are frequently discovered, putting over 100,000 sites using this plugin at risk if left unpatched. In versions up to and including 1.0.253, critical security issues have been found related to cross-site request forgery (CSRF) that allow attackers to potentially compromise administrator accounts or make harmful changes by tricking admins into clicking malicious links. Without urgent updates, sites using older versions of Colibri Page Builder could have content deleted, images imported without consent, or malicious code executed.

The Colibri Page Builder plugin did not correctly validate security tokens on key functions like cp_shortcode_refresh() and apiCall() in affected versions. This allows attackers to forge requests to execute actions in the plugin without needing an admin login. Via cp_shortcode_refresh(), hackers could run harmful shortcodes if an admin clicks a link. The apiCall() issue allows attackers access to import images, delete posts, and modify theme data without authorization.

These severe vulnerabilities open sites relying on outdated Colibri Page Builder versions to compromise of admin accounts, data loss, malware infections, and blacklisting by security services if exploited. It is essential sites update to version 1.0.260 to patch the vulnerabilities, which were reported by Lucio Sá and assigned CVE-2024-1362 and CVE-2024-1361. Version 1.0.260 was released by developers ExtendThemes on February 22, 2024 specifically to address these issues.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Leave a Comment