Page Builder by SiteOrigin Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘siteorigin_widget’ Shortcode – CVE-2024-4361 | WordPress Plugin Vulnerability Report

Plugin Name: Page Builder by SiteOrigin

Key Information:

  • Software Type: Plugin
  • Software Slug: siteorigin-panels
  • Software Status: Active
  • Software Author: gpriday
  • Software Downloads: 51,387,711
  • Active Installs: 700,000
  • Last Updated: May 20, 2024
  • Patched Versions: 2.29.16
  • Affected Versions: <= 2.29.15

Vulnerability Details:

  • Name: Page Builder by SiteOrigin <= 2.29.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-4361
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 20, 2024
  • Researcher: stealthcopter
  • Description: The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Page Builder by SiteOrigin plugin for WordPress has a vulnerability in versions up to and including 2.29.15 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages via the 'siteorigin_widget' shortcode due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 2.29.16.

Detailed Overview:

The vulnerability, discovered by researcher stealthcopter, exists in the Page Builder by SiteOrigin plugin's 'siteorigin_widget' shortcode. Insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page, potentially compromising the site's security and the user's data. The vulnerability has been assigned the CVE identifier CVE-2024-4361 and has a CVSS score of 6.4 (Medium).

Advice for Users:

  1. Immediate Action: Update the Page Builder by SiteOrigin plugin to version 2.29.16 or later to patch this vulnerability.
  2. Check for Signs of Vulnerability: Review your site's pages for any suspicious scripts or unauthorized modifications.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.29.16 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/siteorigin-panels

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/siteorigin-panels/page-builder-by-siteorigin-22915-authenticated-contributor-stored-cross-site-scripting-via-siteorigin-widget-shortcode

Detailed Report:

In the ever-evolving world of web technology, ensuring the security of your website is of utmost importance. As a website owner, it's crucial to stay informed about potential vulnerabilities and take proactive measures to protect your site and your users' data. Today, we'll discuss a recently discovered vulnerability in the popular WordPress plugin, Page Builder by SiteOrigin, and emphasize the significance of keeping your plugins up to date.

The Page Builder by SiteOrigin Plugin

Page Builder by SiteOrigin is a widely-used WordPress plugin that allows users to create responsive page layouts using a drag-and-drop interface. The plugin has been actively maintained by its author, gpriday, and has been downloaded over 51 million times, with an estimated 700,000 active installations.

The Vulnerability (CVE-2024-4361)

A vulnerability was recently discovered in the Page Builder by SiteOrigin plugin, affecting all versions up to and including 2.29.15. The vulnerability, identified as CVE-2024-4361, is classified as an Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS).

The vulnerability exists in the plugin's 'siteorigin_widget' shortcode, where insufficient input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses an injected page.

Risks and Potential Impacts

Attackers exploiting this vulnerability could compromise your website, steal sensitive user data, or even use your site to distribute malware to your visitors. The consequences could be devastating for both your website and your reputation.

An attacker with contributor-level access or higher could inject malicious scripts into your website's pages, potentially allowing them to:

  • Steal sensitive user information (e.g., login credentials, personal data)
  • Deface your website or modify its content
  • Redirect visitors to malicious websites
  • Use your website to distribute malware to unsuspecting visitors

Remediation

The plugin developers have promptly released a patched version (2.29.16) to address this issue. To mitigate the risk posed by this vulnerability, follow these steps:

  1. Update the Page Builder by SiteOrigin plugin to version 2.29.16 or later.
  2. Review your site's pages for any suspicious scripts or unauthorized modifications.
  3. Consider using alternate plugins that offer similar functionality as a precaution.
  4. Ensure that all your WordPress plugins, themes, and core installation are always updated to the latest versions.

Previous Vulnerabilities

It's worth noting that the Page Builder by SiteOrigin plugin has had 4 previous vulnerabilities since December 2015. This underscores the importance of staying vigilant and keeping your plugins updated to ensure the security of your website.

The Importance of Staying Updated

As a small business owner with a WordPress website, it can be challenging to find the time to stay on top of security vulnerabilities. However, the consequences of neglecting website security can be severe, potentially leading to data breaches, loss of customer trust, and damage to your brand reputation.

By regularly updating your WordPress plugins, themes, and core installation, you can significantly reduce the risk of falling victim to known vulnerabilities. Staying informed about potential security issues and taking proactive measures to address them is essential for maintaining a secure online presence.

If you're unsure about how to proceed with updating your plugins or have concerns about your website's security, consider seeking the assistance of a professional web developer or security expert. They can help you implement best practices for website security, monitor your site for potential threats, and ensure that your WordPress installation remains up to date and secure.

Remember, investing in website security is an investment in the long-term success and stability of your online business. By prioritizing the security of your website, you can protect your users' data, maintain customer trust, and focus on growing your business with peace of mind.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Page Builder by SiteOrigin Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘siteorigin_widget’ Shortcode – CVE-2024-4361 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment