Page Builder: Pagelayer Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Button – CVE-2024-1590 | WordPress Plugin Vulnerability Report

Plugin Name: Page Builder: Pagelayer

Key Information:

  • Software Type: Plugin
  • Software Slug: pagelayer
  • Software Status: Active
  • Software Author: softaculous
  • Software Downloads: 5,658,195
  • Active Installs: 200,000
  • Last Updated: February 22, 2024
  • Patched Versions: 1.8.3
  • Affected Versions: <= 1.8.2

Vulnerability Details:

  • Name: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Button
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-1590
  • CVSS Score: 4.6 (Medium)
  • Publicly Published: February 22, 2024
  • Researcher: wesley (wcraft)
  • Description: The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Page Builder: Pagelayer plugin for WordPress has a vulnerability in versions up to and including 1.8.2 that allows authenticated users with contributor-level access or higher to inject arbitrary web scripts that will execute when a vulnerable page is accessed. This vulnerability has been patched in version 1.8.3.

Detailed Overview:

Researcher wesley (wcraft) discovered a stored cross-site scripting (XSS) vulnerability in the Page Builder: Pagelayer WordPress plugin. Due to insufficient sanitization of user-supplied input and output escaping in the plugin's Button widget, attackers with contributor-level access or higher can inject malicious scripts that will execute when a vulnerable page is viewed. This could enable theft of cookies, session information, or other sensitive data. Versions up to and including 1.8.2 are affected. The vulnerability has been addressed in version 1.8.3 through improved input and output handling in the vulnerable components.

Advice for Users:

  1. Immediate Action: Update to version 1.8.3 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review page content and source code for unauthorized scripts. Also monitor site traffic and behavior for anomalies.
  3. Alternate Plugins: Consider alternate page builder plugins like Elementor or Beaver Builder as a precaution.
  4. Stay Updated: Enable automatic background updates in WordPress to ensure plugins stay updated.

Conclusion:

The prompt response from the Pagelayer developers to patch this vulnerability is reassuring. Users should upgrade to version 1.8.3 or later immediately to close this vulnerability on their sites. As always, enabling automatic background updates is advised to quickly address future vulnerabilities.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pagelayer

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pagelayer/page-builder-pagelayer-drag-and-drop-website-builder-182-authenticated-contributor-stored-cross-site-scripting-via-button

Detailed Report:

Keeping your WordPress website secure should be a top priority for any website owner. Unfortunately, vulnerabilities in themes, plugins, and WordPress core are frequently discovered that put sites at risk if left unaddressed. One such vulnerability was recently disclosed in the popular Page Builder: Pagelayer plugin that allows contributors and authors to inject malicious code into pages.

Page Builder: Pagelayer is an actively maintained drag and drop website builder plugin with over 200,000 active installs. This vulnerability impacts all versions up to and including 1.8.2.

Specifically, the vulnerability is an authenticated stored cross-site scripting issue that enables users with contributor access or higher to input malicious JavaScript or other code that will execute when a vulnerable page is viewed. This poses serious security risks including cookie and session theft, malware injection, or complete site takeover.

While technical in nature, the implications of this vulnerability are serious. Attackers could gain access to your WordPress dashboard, modify or delete site content, steal customer data, and more. Promptly updating to the patched release is critical to secure your website.

To remediate this vulnerability, users simply need to update to Page Builder: Pagelayer version 1.8.3, which was quickly released after private disclosure to the developer. You should immediately login to your WordPress dashboard, navigate to Plugins > Installed Plugins, check for available updates, and updated Page Builder: Pagelayer if an update is shown. As an extra precaution, there are alternate page builder plugins like Elementor you could consider.

I also advise enabling automatic background updates for your WordPress plugins whenever possible. This allows critical security patches like this one to be addressed quickly and seamlessly without any effort on your part. Over 10 previous vulnerabilities have been found in Page Builder: Pagelayer, so staying on top of updates is extremely important.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

Page Builder: Pagelayer Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Button – CVE-2024-1590 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment