To start with let me inform you that the researchers have researched that the vulnerability allows an attacker to go ahead and post some codes that would rather disrupt the entire page or your site.
So, let’s learn more about it in detail. Firstly, let’s see what Authenticated Stored Cross-Scripting is. So let’s get started.
Authenticated Stored Cross-Scripting Vulnerability (XSS)
In Cross-Scripting Vulnerability, the attacker basically has the ability to target the browser of the users. This is done by the use of some malicious scripts or codes that were there on the site. These are some of the most common types of Vulnerability found today.
If the script is placed on the website itself then it is known as Stored XSS Vulnerability. Authenticated Stored Cross -Scripting Vulnerability simply means that the attacker needs to have the credentials of the website in order to attack the site.
So basically, this is not that critical as the attacker needs to have the credentials in hand for him to perform the malicious attack.
WP Bakery Authenticated Stored XSS vulnerability
The WP Bakery vulnerability needs the attacker to obtain contributor or author level posting credentials to a website.
Once an attacker has the credentials they are able to inject scripts on any posts or pages. It also gives the attacker the opportunity to modify the posts that other users have made. However, this vulnerability had a lot of issues.
WP Bakery Page Builder 6.4 and Under are affected
Let’s check on the history of WP Bakery Page Builder. The vulnerability was basically discovered in late July 2020. In late August, another patch was released by WP Bakery, but there were still some issues including a second patch that was released in early September. On September 24, 2020, the final patch that closed the vulnerability was released.
WP Bakery Builder is the most common and popular page builder for WordPress. The drag and drop facilities make the users easy to use it while creating a different kind of custom pages.
Plugin software developers post a changelog and the content of the changelog is what appears in the WordPress admin plugin field to basically communicate as to what the update is all about.
Sadly, the changelog of WP Bakery does not reflect the urgency of the update because it does not specifically mention that vulnerability is being fixed. The changelog refers to patches of vulnerability as upgrades.
Normally you will see that the WP Bakery Page Builder is included in the themes.
The latest version of WP Bakery Page Builder is 6.4.1 So it becomes vital that you have been upgraded to the latest version of WP Bakery Page Builder. Also, I would give a quick suggestion to my readers that do not have any untrusted contributor or any author user accounts on your website.
Since WPBakery is a premium plugin also used as a page builder with various premium themes, with your theme purchase, you can need to double-check if any updates are available to you. You should be alerted to the version installed on your site by checking the plugin version number on your plugin dashboard.
So if you have your friends, colleagues, or anyone who uses this plugin on their site, I would highly recommend them to protect their sites and they can check out this post so that they have an idea about the various flaws that occur.
If you have liked this post and have helped you then do let me know in the comments section.