Vulnerability Exposes Over 4 Million Sites Using WPBakery | Update IMMEDIATELY!
Wordfence’s Threat Intelligence has reached out to the plugin’s team on July 28, 2020 through their support forum. After receiving confirmation of the appropriate support channel, Wordfence’s Threat Intelligence disclosed the full details on July 29, 2020.
They confirmed the vulnerability and reported that their development team had begun working on a fix on July 31, 2020. After a long period of correspondence with the plugin development team, and a number of insufficient patches, a final sufficient patch was released on September 24, 2020.
We highly recommend updating to the latest version, 6.4.1 as of today, immediately. While doing so, we also recommend verifying that you do not have any untrusted contributor or author user accounts on your WordPress site.
WPBakery page builder is the most popular page builder for WordPress. It is very easy to use tool that allows site owners to create custom pages using drag and drop capabilities.
saveAjaxFe function using
Furthermore, while WPBakery only intended pages that were built with the WPBakery page builder to be editable via the builder, users could access the editor by supplying the correct parameters and values for any post. This could be classified as a general bug as well as a security issue, and is what made it possible for contributors and editors to use the
wp_ajax_vc_save AJAX action and corresponding
vc_raw_html, and button using
In the latest version of WPBakery, lower level users no longer have
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a significant security update.