Vulnerability Exposes Over 4 Million Sites Using WPBakery

Wednesday, October 7, 2020, 16:56 GMT

From wordfence firewall today reports:”threat intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites.”

This vulnerability made it possible to insert malicious JavaScript into posts by authenticated attackers with contributor-level or above permissions.

This vulnerability has also allowed certain users the power to access the posts of other users. The plugin has expressly removed all default HTML post filtering tests using kses remove filters);. (in the saveAjaxFe feature. This meant that any user with access to the creator from WPBakery could use the page builder to insert HTML and JavaScript anywhere in a message.



Description: Authenticated Stored Cross-Site Scripting (XSS)
Affected Plugin: WPBakery
Plugin Slug: js_composer
Affected Versions: <= 6.4.1
CVE ID: Pending.
CVSS Score: 6.4 Medium
Fully Patched Version: 6.4.1


Users could access the editor by specifying correct parameters and values for any article. This could be defined as a general flaw as well as a security issue, and this is what made it possible for contributors and editors to use the wp ajax vc save AJAX action and the saveAjaxFe functionality to insert malicious JavaScript on their own posts as well as posts from other users.

There were also custom onclick functions for buttons in the plugin. It allowed an intruder to insert malicious JavaScript into a button that would be executed at the click of the button. In addition , users at the writer and author level were able to use vc raw js, vc raw html and button to apply malicious JavaScript to posts using custom onclick shortcodes.

Both of these meant that a contributor-level access user could insert scripts into posts that would then be executed using multiple different methods until anyone visited the page or pressed a button. It is extremely likely that an administrator will view a page containing malicious JavaScript generated by an attacker with contributor-level access, as contributor-level users need permission before publishing. It will be possible for an attacker to build a new malicious administrative account or insert a loophole, among many other items, by running malicious JavaScript in the administrator’s tab.

Lower-level users no longer have unfiltered html functionality by default in the current iteration of WPBakery, but administrators can give this permission if they want to. Furthermore, users without the required rights may no longer edit the posts of other users, access the page builder unless approved, or use shortcodes that would cause malicious JavaScript to be inserted.


– Update WPBakery to lastest version

-Install a good firewall for block future attacks and vulnerabilities