Page Builder by SiteOrigin, a WordPress plugin with over one million active installs. That uses the drag-and-drop feature to build websites, has two flaws that can allow the complete takeover of the site.

Both security bugs could lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS), according to researchers at WordPress. They “allow attackers to forge requests on behalf of a site administrator, and execute malicious code in the administrator’s browser,” according to researchers from Wordfence, in a post.

All vulnerabilities rated 8.8 out of 10.

Within the Bugs

If exploited, both bugs used to redirect the administrator of a site. Create a new user account or inject a backdoor on a site.

The first issue lies inside the plugin’s built-in live editor-this feature that allows users to update content. And drag/drop widgets while having a real-time view of the changes on the specified website.

“In order to show the modifications in real-time through the live editor, the plugin registers the is_live_editor() function to check if a user is in the live editor,” explained Wordfence researchers. “If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to ‘true’ and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content.”

This rendering file called “live-editor-preview.php” thus updates the page preview with adjustments made in real-time.

The problem is that there is no nonce protection to verify that Wordfence says an attempt to render content in the live editor came from a legitimate source.

“Some of the available widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious JavaScript into a rendered live page,”. The researchers wrote. “If a site administrator was tricked into accessing a crafted live preview page. Any malicious JavaScript included as part of the Custom HTML widget could be executed in the browser.”

The data associated with a live preview, in accordance with the CSRF flaw, never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw.

They also added

A second flaw is also a CRSF to XSS problem, this time in the plugin’s action_builder_content function which is linked to the wp_ajax_so_panels_builder_content AJAX activity.

“This function’s purpose was to transmit content submitted as panels_data from the live editor to the WordPress editor. In order to update or publish the post using the content created from the live editor,” the researchers said. “This function did have a permissions check to verify that a user had the capability to edit posts for the given post_id. However, there was no nonce protection to verify the source of a request, causing the CSRF flaw.”

The researchers found that the “Text” widget could be used in testing exploits to insert malicious JavaScript. Due to the ability to edit content in a “text” format, rather than a “visual” format.

“This allowed potentially malicious JavaScript to be sent unfiltered,” according to Wordfence. “Due to the widget data being echoed. Any malicious code that was a part of the text widgets data could then be executed. As part of a combined CSRF to XSS attack in a victim’s browser.”


The vulnerabilities impacted the plugin version 2.10.15 and below; administrators should update their plugins to version 2.10.16 to prevent full site takeover.

It should note that in order for the attack to succeed. An attacker must trick a site administrator into executing an action, such as clicking on a link or an attachment.

Vulnerabilities continue on plague WordPress plugins. Last month, a CSRF bug in Real-Time Search and Replace revealed. That millions of website visitors might get infected with drive-by malware, among other issues.

Also in April, WordPress search engine optimization (SEO) plugin known as Rank Math. Found with a pair of security vulnerabilities (one of them critical). According to researchers, they could allow remote cyber criminals to elevate privileges and install malicious redirects to a target site. RankMath plugin has over 200,000 installs.

If you found the information useful, then please share it. Stay tuned for more useful blogs on WordPress Security, Bugs, Plugins, Themes, and more.

You may also like:

How to Fix 500 Internal Server Error on your WordPress Site

7 Best Email Plugins for WordPress in 2020