Cross-site scripting vulnerabilities are described by an attacker gaining the ability to target the browsers of visitors through the use of malicious scripts that were surreptitiously placed on a website.
XSS attacks are among the most common sort of vulnerabilities.
This particular attack is called an Authenticated Stored Cross-Site Scripting Vulnerability. A Stored XSS vulnerability is one in which a script is placed in the site itself by an attacker.
But this is Authenticated Stored XSS vulnerability, meaning that the attacker must have site credentials in order to execute the attack.
This particular WP Bakery vulnerability requires that the attacker obtain contributor or creator level posting credentials to a website.
Once an attacker has the credentials they are able to inject scripts on any posts or pages. Its also enables the attacker to change the posts made by other users.
This vulnerability was composed of multiple flaws.
According to WordFence:
The vulnerability was found in late July 2020. WP Bakery gave a fix in late August but other issues actually remained, including in a second patch issued in early September.
The last fix that closed the vulnerability was issued on September 24, 2020.
Plugin software developers publish a changelog. The changelog content is what appears in the WordPress admin plugin area that communicates what an update is about.
Tragically, WP Bakery’s changelog doesn’t reflect the urgency of the update because it doesn’t explicitly say that it is fixing vulnerability. The changelog refers to the vulnerability patches as improvements.
The WP Bakery Page Builder Plugin is frequently included in themes. Publishers should check their plugins and ensure they have the most recent and most secure version which is 6.4.1.
We at CodeLedge, are Sweden’s best WordPress Development Services provider. We are the experts at developing creative WordPress websites with effective page load speed. Feel free to talk with us at firstname.lastname@example.org or get a quote from here.
WP Bakery Page Builder Changelog