Ultimate Addons for Beaver Builder Vulnerability – Lite – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget – CVE-2024-2144 | WordPress Plugin Vulnerability Report

Plugin Name: Ultimate Addons for Beaver Builder – Lite

Key Information:

  • Software Type: Plugin
  • Software Slug: ultimate-addons-for-beaver-builder-lite
  • Software Status: Active
  • Software Author: brainstormforce
  • Software Downloads: 499,391
  • Active Installs: 30,000
  • Last Updated: April 1, 2024
  • Patched Versions: 1.5.8
  • Affected Versions: <= 1.5.7

Vulnerability Details:

  • Name: Ultimate Addons for Beaver Builder – Lite <= 1.5.7
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2144
  • CVSS Score: 6.4
  • Publicly Published: March 29, 2024
  • Researcher: Francesco Carlucci
  • Description: The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Separator widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Ultimate Addons for Beaver Builder – Lite for WordPress has a vulnerability in versions up to and including 1.5.7 that allows for Stored Cross-Site Scripting via the Image Separator widget. This vulnerability has been patched in version 1.5.8.

Detailed Overview:

Francesco Carlucci, a noted researcher, discovered the vulnerability. The core of the issue lies within the Image Separator widget, where insufficient input sanitization and output escaping lead to the injection of arbitrary web scripts. This vulnerability poses a significant risk as it allows attackers with at least contributor-level access to execute scripts that could compromise the security of the website. The prompt patching of this vulnerability in version 1.5.8 is a critical remediation step.

Advice for Users:

  • Immediate Action: Update to version 1.5.8 immediately.
  • Check for Signs of Vulnerability: Monitor your site for unusual activities or unauthorized content changes.
  • Alternate Plugins: Consider alternative plugins with similar functionality as a precautionary measure.
  • Stay Updated: Regularly update your plugins to the latest versions to mitigate the risks of vulnerabilities.

Conclusion:

The swift action by the developers of Ultimate Addons for Beaver Builder – Lite to release a patch for this vulnerability highlights the importance of maintaining up-to-date software. Users are strongly advised to upgrade to version 1.5.8 or later to secure their WordPress installations against this and similar vulnerabilities.

References:

Detailed Report: 

In today's interconnected world, the security of your website is paramount. A recent vulnerability found in the "Ultimate Addons for Beaver Builder – Lite," a widely-used WordPress plugin, serves as a stark reminder of the ongoing battle against cybersecurity threats. Identified as CVE-2024-2144, this flaw exposed websites to potential Stored Cross-Site Scripting (XSS) attacks, a reminder of the ever-present need for vigilance and proactive measures in safeguarding your online presence.

About the Plugin:

The "Ultimate Addons for Beaver Builder – Lite" plugin, developed by Brainstorm Force, is a tool designed to enhance website functionality and design. With over 30,000 active installations and nearly 500,000 downloads, its popularity within the WordPress community is undisputed. The plugin's last update was on April 1, 2024, addressing the critical vulnerability in question.

Vulnerability Details:

The vulnerability, CVE-2024-2144, was a result of insufficient input sanitization and output escaping within the Image Separator widget, making it possible for attackers with contributor-level access or higher to inject malicious scripts. These scripts could then be executed by any user accessing the affected page, potentially leading to unauthorized data access or other security breaches. The issue was present in all plugin versions up to and including 1.5.7, with a CVSS score of 6.4, indicating a substantial risk.

Risks and Potential Impacts:

The primary risk associated with this vulnerability is the unauthorized execution of scripts, which could lead to data theft, website defacement, or the spreading of malware to visitors. For small business owners, such security breaches can result in significant reputational damage, loss of customer trust, and potential financial liabilities.

Remediation Steps:

The plugin's developers have released a patched version, 1.5.8, to address this vulnerability. It is imperative for users of the plugin to update to this latest version immediately. Additionally, website owners should regularly scan their sites for unusual activities or unauthorized content changes, which could indicate a compromise.

Previous Vulnerabilities:

It's worth noting that this isn't the plugin's first encounter with security issues. There have been 7 previous vulnerabilities reported since January 23, 2023, underscoring the importance of regular monitoring and updates.

Conclusion:

For small business owners, the task of staying on top of every security vulnerability can seem daunting, especially when time and resources are limited. However, the cost of neglecting these aspects can be far greater. Implementing regular update routines, utilizing security plugins, and considering managed hosting services that handle security for you can significantly mitigate risks. Staying informed and proactive is not just about protecting your website; it's about safeguarding your business, your customers, and your reputation in the digital age. Let this incident be a reminder of the critical importance of maintaining a secure online presence and the need for continuous vigilance in an ever-evolving cybersecurity landscape.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Ultimate Addons for Beaver Builder Vulnerability – Lite – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget – CVE-2024-2144 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment