Author: Melodie Foster
Date: 15th January 2021
A plugin used by 400,000+ WordPress sites called Orbit Fox has found to have two vulnerabilities, which could allow a hacker to inject malicious code into WordPress websites that utilise the plugin and/or to take control of those websites.
An authenticated attacker that has at least a minimum contributor level access, can elevate themselves to administrator level which could lead to them potentially taking over the website. This privilege-escalation flaw has therefore been given a CVSS severity score of 9.9, making it critical.
This flaw is present in the Orbit Fox registration widget where low-level contributors “could set the user role to that of an administrator upon successful registration – so, all attackers would need to do is register themselves as new users and would then be granted administrator privileges.” Exploiting this flaw would require user registration to be enable and the site might also need to be running Elementor or Beaver Builder plugins.
The issue stemmed from contributors being able to add scripts to posts due to the header and footer script feature, despite not having the unfiltered_html capability.
Both vulnerabilities are patched in Orbit Fox version 2.10.3 so sites running versions below should update as soon as they can.
Cyberfort Colocation Services
Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >
Cyberfort Deep Dives
Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >