A WordPress plugin called Orbit Fox, had two vulnerabilities. One critical could allow attackers to inject malicious code into vulnerable websites and/or take control of the website.

Orbit Fox is a WordPress plugin with multiple functions that works with the site-building utilities of Elementor, Beaver Builder and Gutenberg. It allows features such as registration forms and widgets to be added by site administrators. The plugin has been installed on 400,000+ sites by a developer called ThemeIsle.

The first defect (CVEs are pending) is an authenticated privilege-escalation defect that carries a CVSS bug-severity score of 9.9, making it critical, according to researchers at Wordfence. Authenticated attackers with or above contributor level access can raise themselves to the status of administrator and possibly take over a WordPress site.

Meanwhile, the second bug is an authenticated cross-site scripting (XSS) problem that allows contributor-level or author-level access attackers to inject JavaScript into posts. This injection used, among other actions, to redirect visitors to malvertising websites or to create new administrative users. On the CVSS scale, it’s rated 6.4, making it medium severity.

Privilege Escalation

According to researchers, the privilege-escalation bug does exist in the Orbit Fox registration widget.

When using the Elementor and Beaver Builder page-builder plugins, the widget is used to build registration forms with customizable fields. Using the form, site administrators can set a default role to be assigned to users registering on the site.

“Lower-level users like contributors, authors. And editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,”. Wordfence researchers explained, in a Tuesday posting. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users. While adding a registration form. Unfortunately, there were no server-side protections or validation to verify. That an authorized user was actually setting the default user role in a request.”

When data is sent to the server as a user enters it into a form, server-side validation occurs. Once the request is received by the server. It will then check for security problems, ensure that data is properly formatted. And prepare the submission to insert or update to a data source.

The lack of server-side validation in Orbit Fox means that on successful registration, lower-level contributors, authors. And editors for the site could set the user role to that of an administrator. So all attackers would have to do is register themselves as new users and then administrator privileges would be granted.

“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” according to Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”

Stored XSS

The medium-severity issue arises because contributors and authors are able to add scripts to posts. Despite not having the unfiltered html capability due to the header. And footer script feature in Orbit Fox, according to Wordfence.

“This flaw allowed lower-level users to add malicious JavaScript to posts. That would execute in the browser whenever a user navigated to that page,” researchers explained. “As always with XSS vulnerabilities. This would make it possible for attackers to create new administrative users, inject malicious redirects. And backdoors, or alter other site content through the use of malicious JavaScript.”

Issues are fixed in version 2.10.3. Sites running Orbit Fox versions 2.10.2 and below should be updated as soon as possible.

WordPress Plugin Problems

The Orbit Fox bugs are the latest to come in recent months in the line of defective WordPress plugins.

In October, Post Grid, a WordPress plugin with more than 60,000 installations. Found to open the door to site takeovers with two high-severity vulnerabilities. To boot, in Post Grid’s sister plug-in, Team Showcase, 6,000 installations, almost identical bugs are also found.

In September, a high-severity flaw was found to affect more than 100,000 WordPress websites in the Email Subscribers & Newsletters plugin by Icegram.

Earlier, in August, two critical vulnerabilities were patched by a plugin intended to add quizzes and surveys to WordPress websites. Remote, unauthenticated attackers could exploit the flaws to launch various attacks, including completely taking over vulnerable websites. Newsletter, a WordPress plugin with more than 300,000 installations, also found in August. To have a couple of vulnerabilities that could lead to code execution and even the takeover of the site.

And in a WordPress plugin called Comments-wpDiscuz. Installed on more than 70,000 websites, researchers warned in July of a critical vulnerability. The flaw provided the ability to upload arbitrary files (including PHP files). To unauthenticated attackers and eventually execute remote code on vulnerable website servers.

You may also like:

The Best Email Marketing Tips for WordPress Users

5 Best WordPress Survey Plugins You Need to Know