WP Page Builder < 1.2.4 – Insecure default configuration Allows Subscribers Editing Access to Posts | CVE 2021-24207 | Plugin Vulnerabilities

Description

By default, the plugin allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.

A subscriber, upon registering an account with a site with the WP Pagebuilder plugin, could immediately modify or delete existing content on the site.

Proof of Concept

It is possible for a subscriber-level user to access the editor simply by visiting the post editor’s URL for a given post or page and supplying “wppb_editor” in the “action” parameter e.g. wp-admin/post.php?post=610&action=wppb_editor.

Affects Plugins

Fixed in 1.2.4

References

CVE

URL

https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-builder/

URL

https://www.themeum.com/wp-page-builder-updated-v1-2-4/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter

Verified

Yes

WPVDB ID

21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6

Timeline

Publicly Published

2021-03-17 (about 4 years ago)

Added

2021-03-18 (about 4 years ago)

Last Updated

2021-04-09 (about 4 years ago)

Other

Published

Title

Published

2021-06-04

Title

Social Sharing Plugin - Kiwi 2.1.0 - Unauthenticated Arbitrary WordPress Options Update and Read

Published

2024-12-04

Title

Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins < 2.0.59 - Sensitive Information Exposure

Published

2020-10-08

Title

Dynamic Content for Elementor < 1.9.6 - Authenticated RCE

Published

2024-03-20

Title

WooCommerce Cloak Affiliate Links < 1.0.34 - Missing Authorization to Unauthenticated Permalink Modification

Published

2017-11-02

Title

Like Button Rating < 2.5.4 - Unauthenticated Arbitrary Blog Settings Change