Page Builder: Pagelayer Vulnerability– Drag and Drop website builder – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes – CVE-2024-2127 |WordPress Plugin Vulnerability Report
Plugin Name: Page Builder: Pagelayer – Drag and Drop website builder
Key Information:
- Software Type: Plugin
- Software Slug: pagelayer
- Software Status: Active
- Software Author: softaculous
- Software Downloads: 5,791,472
- Active Installs: 200,000
- Last Updated: March 12, 2024
- Patched Versions: 1.8.4
- Affected Versions: <= 1.8.3
Vulnerability Details:
- Name: Page Builder: Pagelayer – Drag and Drop website builder <= 1.8.3
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2127
- CVSS Score: 6.4
- Publicly Published: March 7, 2024
- Researcher: (Name not provided; presumed to be 'March 7, 2024' due to formatting error)
- Description: The plugin is vulnerable to Stored Cross-Site Scripting (XSS) in all its versions up to 1.8.3. Insufficient input sanitization and output escaping in handling custom attributes allow authenticated users with at least contributor permissions to execute arbitrary scripts on the web pages, compromising site security and user safety.
Summary:
The popular WordPress plugin, Page Builder: Pagelayer, facilitates effortless website building with its drag-and-drop functionality. However, a significant security flaw has been identified in versions up to 1.8.3, where attackers can exploit custom attributes to inject malicious scripts. This vulnerability, addressed in the latest patch, version 1.8.4, poses a considerable risk to website integrity and user data protection.
Detailed Overview:
The vulnerability, discovered by an unnamed researcher and publicized on March 7, 2024, highlights a critical oversight in the plugin's security measures concerning custom attributes. The potential for script injection by users with basic privileges exposes websites to a variety of cyber threats, including data theft, unauthorized access, and malware distribution. The swift release of a patched version by softaculous, the plugin's developer, underscores the urgency of the issue.
Advice for Users:
- Immediate Action: Upgrade to version 1.8.4 immediately to safeguard your WordPress site against this vulnerability. Ensure all updates are applied from the WordPress dashboard under the 'Plugins' section.
- Check for Signs of Vulnerability: Monitor your website for unexpected content changes or unusual user activity, which may indicate exploitation.
- Alternate Plugins: While the updated version rectifies the XSS vulnerability, users might explore other page builder plugins that meet their specific needs and security requirements.
- Stay Updated: Regularly updating all site components, including plugins, themes, and the WordPress core, is crucial for maintaining security and functionality.
Conclusion:
The discovery of CVE-2024-2127 within the Page Builder: Pagelayer plugin serves as a critical reminder of the importance of cybersecurity vigilance in the WordPress ecosystem. For small business owners and website administrators, the proactive management of software updates is not just a technical task but a foundational element of digital stewardship. Ensuring the use of secure, up-to-date plugins is essential for protecting digital assets and preserving the trust of website users.