Page Builder: Pagelayer WordPress plugin is a popular drag and drop page builder, used to create professional-looking website designs with ease. Recently, a Stored Cross-Site Scripting (XSS) vulnerability has been identified in versions of the plugin before 1.8.1. This blog post will provide details on the vulnerability, the affected code snippet, links to original sources, and information on how to exploit this vulnerability.
Exploit Details:
The vulnerability (CVE-2023-7115) lies within the plugin's inability to sanitize and escape some of its settings. This could allow high privilege users, such as admin, to perform Stored Cross-Site Scripting (XSS) attacks even when the 'unfiltered_html' capability is disallowed (e.g., in multisite setups).
Code Snippet
Before understanding the vulnerability, let's have a look at a code snippet from the offending pagelayer-class.php file:
function pagelayer_save_settings(){
...
if(isset($_POST['pl_api_key'])){
$pagelayer->settings['pl_api_key'] = $_POST['pl_api_key'];
}
...
update_option('pagelayer_settings', $pagelayer->settings);
}
In the code snippet above, the plugin saves user-supplied data directly to the pagelayer_settings option without proper sanitization and escaping. This leaves the plugin susceptible to Stored XSS attacks.
Original References
- CVE Details: CVE-2023-7115
- Pagelayer WordPress Plugin page
- Pagelayer 1.8.1 Release Notes/Changelog
Attack Scenario
An authenticated admin user could exploit this vulnerability by inserting malicious JavaScript code into the plugin's settings field, which then gets executed when another user visits the affected WordPress website. The impact of such an attack could range from stealing sensitive information to taking complete control of a vulnerable WordPress site.
Mitigation
To mitigate this vulnerability, it is strongly recommended to update the Pagelayer WordPress plugin to the latest version (1.8.1 or later). The plugin authors have addressed this vulnerability by adding proper sanitization and escaping to the affected settings fields. The following code snippet shows the fix in the pagelayer-class.php file:
function pagelayer_save_settings(){
...
if(isset($_POST['pl_api_key'])){
$pagelayer->settings['pl_api_key'] = sanitize_text_field($_POST['pl_api_key']);
}
...
update_option('pagelayer_settings', $pagelayer->settings);
}
As seen in the updated code snippet, the sanitize_text_field() function is now used to sanitize the POST data before saving it to the pagelayer_settings option.
Conclusion
It is crucial to keep WordPress plugins up-to-date and well-maintained to ensure a secure online presence. Users of the Page Builder: Pagelayer WordPress plugin should ensure they are running version 1.8.1 or later to mitigate the Stored XSS vulnerability (CVE-2023-7115). Regularly monitoring web security news and updates will greatly assist in protecting your website and its visitors from potential threats.
Timeline
Published on: 02/27/2024 09:15:37 UTC
Last modified on: 02/27/2024 14:20:06 UTC