Can Wipe out Everything!
Wordfence has discovered a similar threat in Google’s plug-in earlier this month. And now, it’s back with findings in another plug-in from PageLayer, a drag-and-drop page builder used by over 200,000 users. PageLayer’s older versions are having two critical flaws that can be exploited for altering the site’s contents/settings and even takeover wholly. The first vulnerability will allow any user with just subscriber-level access to update or modify the posts with malicious content. He can even tinker with other settings too. And the second vulnerability will allow attackers to “forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.” These are because of unprotected AJAX actions and a lack of protection to Cross-Site Request Forgery (CSRF) activities. Which can allow attackers to inject malicious JavaScript code and alter the site’s pages, create rogue admin accounts, and redirect visitors to other malicious sites? Wordfence describes the worst of these exploits can be compromising the user’s computer through his browser!
Problem Mitigation
Updating to the latest version is the only solution for this. Site administrators are advised to update the plug-in from their dashboards or by downloading the new version, 1.1.2 directly from PageLayer site. This was released on May 6th, and more than 85,000 sites have updated to the latest version. Yet, there are still 100,000 sites still having this flaw uncovered, and may compromise of attackers are interested. Update here: PageLayer v1.1.2