Bugs Found in a WordPress Page Builder Plugin Threatens Millions of Websites

While the world battles with Covid-19 and businesses face lockdown for more than a month, having a website and an online presence seems like the only way of survival. 

But viruses and creepy bugs rule the virtual world as well. 

At least a million people using the WordPress Page Builder plugin by Site Origin faced a security threat recently, caused by two high-severity vulnerabilities found in the plugin.

Page builder plugins are extremely popular, as they allow non-tech people to build professional looking websites without writing any code. 

The Page Builder plugin by Site Origin has more than 1 million active installations. This means more than 1 million websites were exposed to the highly severe bugs that could even allow complete site takeover. 

Now, that’s a nightmare for a website owner who goes to sleep thinking their business is on automation and will continue attracting leads and prospects while he enjoys some peace of mind. 

Well, just don’t let the bedbugs bite!

The first bug was discovered in the live editor of the plugin – a feature that lets users build and update their pages, add content, and drag/drop widgets while getting a real time view of their site. The security flaw in the live editor’s code could allow a hacker to execute malicious code in the site. 

The second flaw was in a function that sends data from the live editor to the WordPress editor so the content created with the live editor could be published with the WordPress editor. With no nonce protection to verify the source of the request, the vulnerability if exploited could allow malicious code to be injected into the site. 

Security vulnerabilities are routinely discovered in WordPress plugins. But with WordPress powering up at least 70% of the internet, it’s so popular that researchers are always running exploit tests to unearth vulnerabilities before they are exploited. 

And so, with security patches often released before the bugs are exploited at scale, keeping yourself protected is as simple as keeping your plugins and themes up to date. 

Just last month, researchers unearthed another vulnerability in a popular WordPress plugin that exposed around 100k websites to compromise. The bug could be exploited for cross-site scripting and injecting malicious JavaScript on the victim site. Not only could this bug affect the victim site but an innocent visitor browsing the site could also be infected with drive-by malware or redirected to a malicious site. 

Now, that is not a pretty way of treating your valuable site visitors, is it? 

But while it does sound scary, the solution follows a simple logic: protection is better than cure! Updating your WordPress themes and plugins to the latest version is how easily you can protect your website from compromises.

With WordPress researchers always testing and discovering security flaws to strengthen the security of WordPress sites, what you can do on your part is to update your site on a routine basis to stay protected. 

Thankfully, the WordPress development roadmap includes an auto-update feature for themes and plugins, which will allow website owners to always keep their sites up to date without having to remember to do it. 

This much-looked-forward-to feature will hopefully make the “cloud” a better place to browse in.