Security experts discovered two serious vulnerabilities found in the WordPress Orbit Fox plugin websites that attackers could exploit.
Security experts discovered two serious vulnerabilities found in the WordPress Orbit Fox plugin websites that attackers could exploit.
Wordfence reported two different vulnerabilities in the plugin. One of these had a critical-severity rating with a CVSS score of 9.9. Authenticated attackers with contributor level access or above can escalate privileges administrator and potentially take over a website.
The second vulnerability received a medium severity with a severity rating of 6.4. The exploitation of this vulnerability could allow an authenticated lower-level adversary to insert malicious scripts to posts.
Themelsle developed the plugin to enhance the Elementor, Beaver Builder and Gutenberg editors and implements additional features.
“One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress site. The other flaw made it possible for attackers with contributor or author level access to inject potentially malicious JavaScript into posts.” reads the post published by Wordfence.
“These types of malicious scripts can be used to redirect visitors to malvertising sites or create new administrative users, amongst many other actions.”
Wordfence stated that user registration would need to be enabled and the site would need to be operating the Elementor or Beaver Builder plugins to exploit the flaw.
The two vulnerabilities affected the plugin versions until 2.10.2. As soon as finding these bugs, Wordfence revealed the matter to the developers.
Themelsle addressed the two vulnerabilities with the release of Obit Fox 2.10.3.
All website admins using this plugin must secure their sites with the latest plugin version to be safe.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?