Website Builder by SeedProd Vulnerability – Missing Authorization via seedprod_lite_new_lpage – CVE-2024-1072 | WordPress Plugin Vulnerability Report
Plugin Name: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Key Information:
- Software Type: Plugin
- Software Slug: coming-soon
- Software Status: Active
- Software Author: seedprod
- Software Downloads: 23,816,722
- Active Installs: 900,000
- Last Updated: February 1, 2024
- Patched Versions: 6.15.23
- Affected Versions: <= 6.15.21
Vulnerability Details:
- Name: Website Builder by SeedProd <= 6.15.21 - Missing Authorization
- Title: Missing Authorization via seedprod_lite_new_lpage
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
- CVE: CVE-2024-1072
- CVSS Score: 8.2
- Publicly Published: January 31, 2024
- Researcher: Lucio Sá
- Description: The Website Builder by SeedProd plugin is susceptible to unauthorized data modification due to a missing capability check in the seedprod_lite_new_lpage function. This vulnerability enables unauthenticated attackers to alter the content of coming-soon, maintenance, login, and 404 pages created with the plugin. Although version 6.15.22 addressed this issue, it introduced a bug affecting admin pages, making the update to version 6.15.23 imperative for a complete fix.
Summary:
The Website Builder by SeedProd plugin, an essential tool for creating various landing pages on WordPress sites, has experienced a critical vulnerability in versions up to and including 6.15.21. This security flaw allowed attackers without authentication to modify page contents, posing a significant risk to site integrity. The developers have rectified this in version 6.15.23, following an intermediary update that inadvertently introduced a separate issue.
Detailed Overview:
Discovered by cybersecurity researcher Lucio Sá, this vulnerability presents a substantial risk due to its ability to be exploited by unauthenticated users, potentially leading to unauthorized content changes on critical pages. The CVSS score of 8.2 reflects the high impact of integrity violations, although the lack of confidentiality impact slightly mitigates the overall severity. Users are urged to update to version 6.15.23 immediately, which not only patches the vulnerability but also resolves the admin page bug introduced in the previous patch.
Advice for Users:
- Immediate Action: Upgrade immediately to version 6.15.23 of the Website Builder by SeedProd plugin to secure your WordPress site against this vulnerability.
- Check for Signs of Vulnerability: Monitor your site for any unexpected changes to your coming-soon, maintenance, login, and 404 pages, as these could indicate exploitation.
- Alternate Plugins: If updating is not immediately possible, consider temporarily using alternate page-building plugins to maintain site security.
- Stay Updated: Regularly updating your WordPress plugins is crucial for security. Always apply updates as soon as they are available to protect against vulnerabilities.
Conclusion:
The rapid identification and patching of this vulnerability by SeedProd's developers underscore the dynamic nature of web security and the critical role of community vigilance. For WordPress site owners, this incident highlights the importance of regular plugin updates and the need for ongoing security monitoring to protect digital assets from emerging threats.
References:
In an era where digital presence is synonymous with brand identity, the security of a website's components becomes paramount. The recent discovery of a vulnerability in the "Website Builder by SeedProd" plugin, a cornerstone for many WordPress sites, underscores this critical aspect. Known as CVE-2024-1072, this vulnerability highlights the delicate balance between functionality and security, serving as a stark reminder of the vigilance required in the digital sphere.
Plugin Overview:
"Website Builder by SeedProd" is more than just a plugin; it's an integral tool for WordPress users, facilitating the creation of landing pages, maintenance modes, coming-soon pages, and more. With its user-friendly interface, it has amassed over 900,000 active installations, becoming a go-to solution for website customization. Developed by SeedProd and boasting an impressive 23,816,722 downloads, its recent update on February 1, 2024, to version 6.15.23, was crucial in addressing the newfound security flaw.
Vulnerability Insights:
CVE-2024-1072 exposed a missing authorization check within the plugin's 'seedprod_lite_new_lpage' function, allowing unauthenticated users to alter web page contents. This vulnerability posed a significant risk, enabling potential attackers to modify coming-soon, maintenance, login, and 404 pages without permission. Publicly disclosed on January 31, 2024, by researcher Lucio Sá, this issue was promptly addressed, but not before shedding light on the potential dangers of oversight in software development.
Risks and Potential Impacts:
The risks associated with CVE-2024-1072 extend beyond simple unauthorized webpage alterations. For small businesses, any hint of a security breach can undermine customer trust, potentially leading to lost revenue and reputational damage. In a digital ecosystem where credibility is currency, such vulnerabilities can be exploited to spread malware, phish for sensitive information, or conduct other malicious activities under the guise of a trusted site.
Remediation and Precautionary Measures:
To mitigate the risks posed by CVE-2024-1072, users are urged to update to version 6.15.23 of the plugin, which not only addresses the vulnerability but also rectifies a subsequent bug introduced in the intermediary patch. Beyond immediate updates, website owners should adopt a proactive stance towards security: regularly reviewing plugin updates, monitoring site activity for irregularities, and considering alternative solutions to maintain operational continuity.
Historical Context and Continuous Vigilance:
This is not the first time the SeedProd plugin has faced security challenges; with three previous vulnerabilities reported since June 25, 2020, the pattern underscores the dynamic nature of cybersecurity threats. Each new vulnerability serves as a learning opportunity, emphasizing the importance of continuous monitoring, timely updates, and an overarching commitment to digital hygiene.
In conclusion, the case of CVE-2024-1072 within the SeedProd plugin serves as a critical lesson for small business owners and digital practitioners alike. In the fast-paced world of technology, staying informed and responsive to security advisories is not just best practice—it's a necessity. As we navigate the complexities of web security, let us remember that vigilance and proactive measures are key to safeguarding our digital storefronts against the ever-evolving landscape of cyber threats. For small business owners, the task of maintaining a secure WordPress site, amidst myriad other responsibilities, can seem daunting. However, leveraging automated security solutions, staying abreast of updates, and occasionally consulting with cybersecurity experts can ensure that your digital presence remains both robust and reliable, without overwhelming your schedule.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.