WordPress Website Builder Vulnerability Affects Nearly 1 Million Websites
Last updated on
A significant vulnerability has been addressed in the Website Builder by SeedProd, a plugin with over 900,000 installations. This vulnerability, which was present in versions up to and including 6.15.21, poses a potential risk of unauthorized data modification on WordPress websites.
Details of the Vulnerability: Absence of Capability Check
The discovered vulnerability is related to the absence of a capability check within the ‘seedprod_lite_new_lpage’ function.
Capabilities refer to specific actions that users or roles are allowed to perform. In WordPress, a capability check plays a vital role in managing permissions and access controls. It determines whether a user has the necessary authority to carry out a particular action.
This concept is somewhat similar to a role check, where a role check verifies the user’s role (e.g., administrator, editor, etc.), while a capability check verifies whether the user possesses specific permissions. A capability check offers a finer level of control over permissions compared to a role check.
The missing capability check potentially enables unauthenticated attackers to manipulate the content of various pages created using the plugin, such as coming-soon or maintenance pages. The absence of this security feature exposes websites to the risk of unauthorized data tampering.
Unauthorized Data Modification
Unauthorized data modification is a critical security concern that arises from a vulnerability allowing unauthorized individuals to manipulate data, potentially leading to security breaches. It is strongly recommended to address this type of vulnerability in the Website Builder plugin.
Severity and Impact: High-Risk Exposure
This vulnerability has received a severity rating of 8.2 on a scale of 1 to 10, with the classification of ‘High’ according to the Common Vulnerability Scoring System (CVSS). The high rating signifies the significant potential impact of this vulnerability.
It’s worth noting that this vulnerability is so recent that there is currently no entry in the National Vulnerability Database for the assigned CVE number, CVE-2024-1072.
However, security researchers from Wordfence, a WordPress security firm, have emphasized the seriousness of the Website Builder by SeedProd vulnerability:
“This vulnerability enables unauthenticated attackers to modify the content of pages such as coming-soon, maintenance, login, and 404 pages that are created using the plugin.”
Recommendations for Users of the Website Builder Plugin
The publisher of the Website Builder by SeedProd has taken action by releasing an updated version, 6.15.22, specifically designed to address this vulnerability. This update incorporates a security nonce as a protective measure to mitigate the risk. It is imperative that users of the plugin promptly update to this latest version to enhance the security of their websites and safeguard them against potential attacks.
In the context of WordPress, it’s important to understand what a nonce is:
A nonce, short for “number used once,” serves as a security mechanism to safeguard URLs and forms from various types of misuse, whether malicious or otherwise.
Nonces play a crucial role in defending against a range of potential attacks.