WordPress Plugin Vulnerabilities
WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts
Description
By default, the plugin allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.
A subscriber, upon registering an account with a site with the WP Pagebuilder plugin, could immediately modify or delete existing content on the site.
Proof of Concept
It is possible for a subscriber-level user to access the editor simply by visiting the post editor’s URL for a given post or page and supplying “wppb_editor” in the “action” parameter e.g. wp-admin/post.php?post=610&action=wppb_editor.
Affects Plugins
References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ramuel Gall
Submitter
Ramuel Gall
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-17 (about 3 years ago)
Added
2021-03-18 (about 3 years ago)
Last Updated
2021-04-09 (about 3 years ago)