WordPress Plugin Vulnerabilities

Page Builder by SiteOrigin < 2.10.16 - CSRF to Reflected Cross-Site Scripting (XSS)

Description

Flaws in the live editor and action_builder_content functions of the plugin "allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed."

Proof of Concept

Affects Plugins

Plugin icon
siteorigin-panels
Fixed in 2.10.16

References

CVE
CVE-2020-13643
CVE
CVE-2020-13642
URL
https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-builder-by-siteorigin-affects-over-1-million-sites/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
No
WPVDB ID
6de420d5-c1e6-40e4-ab30-da0e974716b5

Timeline

Publicly Published
2020-05-11 (about 6 years ago)
Added
2020-05-11 (about 6 years ago)
Last Updated
2020-05-29 (about 5 years ago)

Other

Published
Title
Published
2024-04-12
Title
AffiEasy < 1.1.6 - Cross-Site Request Forgery
Published
2025-09-22
Title
Force Update Translations < 0.6.0 - Cross-Site Request Forgery
Published
2026-02-17
Title
WP Plugin Info Card < 6.3.0 - Cross-Site Request Forgery to Arbitrary Custom Plugin Entry Creation
Published
2025-02-03
Title
URL-Preview-Box <= 1.20 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-03-10
Title
Appsero Helper < 1.3.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting