Wordfence’s Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts.
Wordfence’s Threat Intelligence has reached out to the plugin’s team on July 28, 2020 through their support forum. After receiving confirmation of the appropriate support channel, Wordfence’s Threat Intelligence disclosed the full details on July 29, 2020.
They confirmed the vulnerability and reported that their development team had begun working on a fix on July 31, 2020. After a long period of correspondence with the plugin development team, and a number of insufficient patches, a final sufficient patch was released on September 24, 2020.
We highly recommend updating to the latest version, 6.4.1 as of today, immediately. While doing so, we also recommend verifying that you do not have any untrusted contributor or author user accounts on your WordPress site.
WPBakery page builder is the most popular page builder for WordPress. It is very easy to use tool that allows site owners to create custom pages using drag and drop capabilities.
Unfortunately, the plugin was designed with a flaw that could give users with contributor and author level roles the ability to inject malicious JavaScript into pages and posts. This flaw also gave these users the ability to edit other users’ posts. The plugin explicitly disabled any default post HTML filtering checks in the saveAjaxFe
function using kses_remove_filters();
. This meant that any user with access to the WPBakery builder could inject HTML and JavaScript anywhere in a post using the page builder.
323334353637383940414243444546474849505152 | public function saveAjaxFe() { vc_user_access()->checkAdminNonce()->validateDie()->wpAny( 'edit_posts' , 'edit_pages' )->validateDie(); $post_id = intval ( vc_post_param( 'post_id' ) ); if ( $post_id > 0 ) { ob_start(); // Update post_content, title and etc. // post_title // content // post_status if ( vc_post_param( 'content' ) ) { $post = get_post( $post_id ); $post ->post_content = stripslashes ( vc_post_param( 'content' ) ); $post_status = vc_post_param( 'post_status' ); $post_title = vc_post_param( 'post_title' ); if ( null !== $post_title ) { $post ->post_title = $post_title ; } kses_remove_filters(); remove_filter( 'content_save_pre' , 'balanceTags' , 50 ); |
Furthermore, while WPBakery only intended pages that were built with the WPBakery page builder to be editable via the builder, users could access the editor by supplying the correct parameters and values for any post. This could be classified as a general bug as well as a security issue, and is what made it possible for contributors and editors to use the wp_ajax_vc_save
AJAX action and corresponding saveAjaxFe
function to inject malicious JavaScript on their own posts as well as other users’ posts.
The plugin also had custom onclick functionality for buttons. This made it possible for an attacker to inject malicious JavaScript in a button that would execute on a click of the button. Furthermore, contributor and author level users were able to use the vc_raw_js
, vc_raw_html
, and button using custom_onclick
shortcodes to add malicious JavaScript to posts.
All of these meant that a user with contributor-level access could inject scripts in posts that would later execute once someone accessed the page or clicked a button, using various different methods. As contributor-level users require approval before publishing, it is highly likely that an administrator would view a page containing malicious JavaScript created by an attacker with contributor-level access. By executing malicious JavaScript in the administrator’s browser, it would be possible for an attacker to create a new malicious administrative user or inject a backdoor, among many other things.
In the latest version of WPBakery, lower level users no longer have unfiltered_html
capabilities by default, however, administrators can grant that permission if they wish to. In addition, users without the appropriate privileges can no longer edit other users’ posts, access the page builder unless permitted or use shortcodes that could allow the injection of malicious JavaScript.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a significant security update.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.