WordPress Website Builder Plugin Vulnerable to Unauthorized Data Changes

CVECVE-2024-1072
CVSScvssV3_1: 8.2
SourceCVE-2024-1072

The Website Builder plugin by SeedProd for WordPress was found to have a vulnerability that could allow unauthorized changes to be made to coming soon, maintenance and error pages created with the plugin.

WordPress is a popular open source content management system used by many websites and blogs to build and manage their online presence. Plugins are additional features that can be installed to extend WordPress functionality. The Website Builder plugin allows users to easily create coming soon, maintenance and error pages without code.

The vulnerability was due to a missing capability check in the plugin code. This means that any visitor to the site, whether logged in or not, could potentially modify content like text, images and other settings on pages created with the plugin.

An attacker could exploit this to deface or change coming soon pages to display malicious or inappropriate content. They could also alter maintenance pages to trick site visitors.

The plugin developer has released updates to address this issue in versions 6.15.22 and above. All users of the Website Builder plugin are recommended to update immediately to prevent unauthorized data changes. It is also good practice for website owners to keep plugins and WordPress core updated with the latest security fixes. Regular reviews of plugin capabilities can help catch and fix similar issues.

References