WordPress Website Builder Vulnerability Affects Nearly 1 Million Websites via @sejournal, @martinibuster

A important vulnerability has been patched successful the Website Builder by SeedProd that has implicit 900,000 installations. This vulnerability, contiguous successful versions up to and including 6.15.21, poses a hazard for unauthorized information modification connected WordPress sites.

Vulnerability Details: Missing Capability Check

The vulnerability that was discovered is called a missing capableness cheque wrong the ‘seedprod_lite_new_lpage’ function.

Capabilities are circumstantial actions that users oregon roles are allowed to perform. A capableness cheque is an important information diagnostic successful WordPress for managing permissions and entree controls. They find if a idiosyncratic has the authorization to execute circumstantial action.

It’s akin to a relation cheque successful that a relation cheque verifies the user’s relation (like administrator, editor, etc.), portion a capableness cheque verifies whether the idiosyncratic has circumstantial permissions. A capableness cheque provides a much granular power implicit permissions compared to a relation check.

The missing capableness cheque allows unauthenticated attackers to perchance modify the contented of assorted pages created utilizing the plugin, specified arsenic coming-soon oregon attraction pages. The lack of this information diagnostic exposes websites to risks of information tampering.

Unauthorized Data Modification

Unauthorized modification of information is simply a superior information issue. It arises from a flaw wherever unauthorized individuals tin change data, starring to imaginable exploits. Addressing this benignant of vulnerability successful the Website Builder plugin is highly recommended.

Severity and Impact: High-Risk Exposure

The vulnerability is rated 8.2 retired of a standard of 1- 10, with a severity standing classified arsenic ‘High’ according to the Common Vulnerability Scoring System (CVSS). The precocious standing indicates however superior the imaginable interaction is.

This vulnerability is truthful caller that determination is presently nary introduction successful the National Vulnerability Database for the assigned CVE fig CVE-2024-1072.

However, Wordfence WordPress information researchers emphasized the seriousness of the Website Builder by SeedProd vulnerability:

“This makes it imaginable for unauthenticated attackers to alteration the contents of coming-soon, attraction pages, login and 404 pages acceptable up with the plugin.”

Recommendation For Website Builder Plugin Users

The steadfast of the Website Builder by SeedProd has responded by releasing an updated version, 6.15.22, which addresses this vulnerability. The update includes a information nonce to mitigate the risk, and users of the plugin are powerfully advised to update instantly to unafraid their website against attacks.

Regarding the nonce, WordPress explains what it is:

A nonce is simply a “number utilized once” to assistance support URLs and forms from definite types of misuse, malicious oregon otherwise.

…They assistance support against respective types of attacks…”

Read the announcement by Wordfence:

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 – Missing Authorization via seedprod_lite_new_lpag

Read the authoritative SeedProd Changelog

Featured Image by Shutterstock/Nikulina Tatiana