WordPress Plugin Flaw Allows for Site Takeover

Author: Melodie Foster

Date: 15th January 2021

A plugin used by 400,000+ WordPress sites called Orbit Fox has found to have two vulnerabilities, which could allow a hacker to inject malicious code into WordPress websites that utilise the plugin and/or to take control of those websites.

An authenticated attacker that has at least a minimum contributor level access, can elevate themselves to administrator level which could lead to them potentially taking over the website. This privilege-escalation flaw has therefore been given a CVSS severity score of 9.9, making it critical.

This flaw is present in the Orbit Fox registration widget where low-level contributors “could set the user role to that of an administrator upon successful registration – so, all attackers would need to do is register themselves as new users and would then be granted administrator privileges.” Exploiting this flaw would require user registration to be enable and the site might also need to be running Elementor or Beaver Builder plugins.

The second flaw has been given a CVSS score of 6.4 making it medium in severity. It is an authenticated stored cross-site scripting bug that allows attackers with contributor level access to inject JavaScript into posts which could be used to redirect users to other sites or create new administrative users for example.

The issue stemmed from contributors being able to add scripts to posts due to the header and footer script feature, despite not having the unfiltered_html capability.

Both vulnerabilities are patched in Orbit Fox version 2.10.3 so sites running versions below should update as soon as they can[1].

[1] https://threatpost.com/orbit-fox-wordpress-plugin-bugs/163020/

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

WordPress Plugin Flaw Allows for Site Takeover

Author: Melodie Foster

Date: 15th January 2021

Other resources

Cyberfort Colocation Services

What can Cyberfort do for you?

Cyberfort Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta