WP Page Builder < 1.2.4 – Insecure default configuration Allows Subscribers Editing Access to Posts | CVE 2021-24207 | Plugin Vulnerabilities

Description

By default, the plugin allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.

A subscriber, upon registering an account with a site with the WP Pagebuilder plugin, could immediately modify or delete existing content on the site.

Proof of Concept

It is possible for a subscriber-level user to access the editor simply by visiting the post editor’s URL for a given post or page and supplying “wppb_editor” in the “action” parameter e.g. wp-admin/post.php?post=610&action=wppb_editor.

Affects Plugins

Fixed in 1.2.4

References

CVE

URL

https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-builder/

URL

https://www.themeum.com/wp-page-builder-updated-v1-2-4/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter

Verified

Yes

WPVDB ID

21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6

Timeline

Publicly Published

2021-03-17 (about 3 years ago)

Added

2021-03-18 (about 3 years ago)

Last Updated

2021-04-09 (about 3 years ago)

Other

Published

Title

Published

2021-11-15

Title

Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access

Published

2022-06-27

Title

miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting

Published

2023-06-19

Title

HTTP Headers < 1.18.11 - Admin+ Remote Code Execution

Published

2020-10-08

Title

Dynamic Content for Elementor < 1.9.6 - Authenticated RCE

Published

2021-04-17

Title

WordPress Download Manager < 3.1.18 - Unauthorised Download Duplication