skout-blog

Cybersecurity Threat Advisory 0004-21: WordPress Plugin Critical Vulnerability

Threat Update

Security researchers have discovered two vulnerabilities present in a WordPress plugin called Orbit Fox. One vulnerability is rated 9.9 on the CVSS scale and allows for privilege escalation and remote code injection; The second is rated 6.4 on the CVSS scale and allows for cross-site scripting. SKOUT recommends updating the Orbit Fox plugin to the patched version as soon as possible. At the time of this threat advisory publishing, there are no CVE’s for these vulnerabilities.

Technical Detail & Additional Information

WHAT IS THE THREAT?

Two vulnerabilities are present in a WordPress plugin called Orbit Fox. The more severe vulnerability, with a CVSS score of 9.9, allows for privilege escalation for threat actors with contributor level access to potentially take over a WordPress site completely by crafting a specialized request while adding a registration form through the Orbit Fox registration widget. While the plugin on the client protected against this, the backend server did not follow proper data sanitization methods. This results in lower-level contributors potentially setting their user role to admin through a malformed registration form. The less severe vulnerability, with a CVSS score of 6.4, allows for cross-site scripting attacks which can potentially embed malicious JavaScript on the page, redirect users to a malicious site, or create new site administrators. This vulnerability is due to Orbit Fox allowing for contributors and authors to add scripts to posts despite not having the unfiltered_html capability.

WHY IS IT NOTEWORTHY?

These vulnerabilities exist in Orbit Fox versions 2.10.2 and earlier. Currently, Orbit Fox has over 400,000 active installations on WordPress sites. This means that there are potentially 400,000 WordPress sites that are susceptible to severe privilege escalation and cross site scripting attacks. Additionally, these vulnerabilities do not only affect the website, but they also affect end users of the website as well. A threat actor could potentially inject malicious JavaScript into the page which redirects users to sites that downloads malware to the user’s computer.

WHAT IS THE EXPOSURE OR RISK?

The cross-site scripting vulnerability with a CVSS score of 6.4 is present in Orbit Fox versions 2.10.2 and earlier. However, the severe privilege escalation vulnerability is only applicable to sites that utilize an affected version of Orbit Fox as well as either the Elementor or Beaver Builder plugins and have user registration enabled. Sites that do not use either the Elementor or Beaver Builder plugin or have user registration disabled are not vulnerable to the privilege escalation vulnerability.

WHAT ARE THE RECOMMENDATIONS?

The current recommendations for these vulnerabilities are listed below:

  • Update the Orbit Fox plugin to version 2.10.3 or later.
  • If the site utilizes the Elementor or Beaver Builder plugin and has user registration enabled, disable user registration until Orbit Fox has been updated to version 2.10.3 or later.

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.