Security Vulnerability

Resolved e dev
(@efishinsea)

1 year, 4 months ago

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

The Classic Addons – WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page..

More Info:

https://patchstack.com/database/wordpress/plugin/classic-addons-wpbakery-page-builder-addons/vulnerability/wordpress-classic-addons-wpbakery-page-builder-plugin-3-0-cross-site-scripting-xss-vulnerability

Viewing 7 replies - 1 through 7 (of 7 total)

Plugin Author webcodingplace
(@webcodingplace)

1 year, 4 months ago

Hi,

Thanks for reporting. A new version (3.2) is released fixing these issues.

Regards

jamescrank
(@jamescrank)

11 months ago

WordPress Classic Addons – WPBakery Page Builder plugin <= 3.4 – Cross Site Scripting (XSS) vulnerability

This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

https://patchstack.com/database/wordpress/plugin/classic-addons-wpbakery-page-builder-addons/vulnerability/wordpress-classic-addons-wpbakery-page-builder-plugin-3-0-cross-site-scripting-xss-vulnerability?_a_id=350

Plugin Author webcodingplace
(@webcodingplace)

11 months ago

Hi @jamescrank

Thanks for reporting. Is there any further details? like how one can inject malicious scripts?

jamescrank
(@jamescrank)

11 months ago

From what I found, the issue allows a contributor-level user to inject scripts through one of the plugin’s fields — likely due to improper input sanitization. The script runs when someone views the page. I don’t have deeper technical details, but this was flagged again as vulnerable by MWP.

Plugin Author webcodingplace
(@webcodingplace)

11 months ago

I noticed some of the issues and released a fixed version.

jamescrank
(@jamescrank)

10 months, 4 weeks ago

It seems that the new version did not fixed the issues, the MWP still marked the plugin as vulnerable
https://app.screencast.com/GsT0KUyih81Hd

Plugin Author webcodingplace
(@webcodingplace)

10 months ago

Fixed in v3.6

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Security Vulnerability’ is closed to new replies.