PageLayer, a fairly popular plug-in in WordPress is having two critical vulnerabilities. These could allow remote hackers to wipe or modify the contents of your site and even inject malicious script for other exploits. Wordfence, which discovered the flaws have informed the plug-in’s developers and a patch update was made available on May 6th. Yet, there are more than 100k sites still at risk.

Can Wipe out Everything!

PageLayer WordPress Plugin
PageLayer WordPress Plugin

Wordfence has discovered a similar threat in Google’s plug-in earlier this month. And now, it’s back with findings in another plug-in from PageLayer, a drag-and-drop page builder used by over 200,000 users. PageLayer’s older versions are having two critical flaws that can be exploited for altering the site’s contents/settings and even takeover wholly.

The first vulnerability will allow any user with just subscriber-level access to update or modify the posts with malicious content. He can even tinker with other settings too. And the second vulnerability will allow attackers to “forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.”

These are because of unprotected AJAX actions and a lack of protection to Cross-Site Request Forgery (CSRF) activities. Which can allow attackers to inject malicious JavaScript code and alter the site’s pages, create rogue admin accounts, and redirect visitors to other malicious sites? Wordfence describes the worst of these exploits can be compromising the user’s computer through his browser!

Problem Mitigation

Updating to the latest version is the only solution for this. Site administrators are advised to update the plug-in from their dashboards or by downloading the new version, 1.1.2 directly from PageLayer site.

This was released on May 6th, and more than 85,000 sites have updated to the latest version. Yet, there are still 100,000 sites still having this flaw uncovered, and may compromise of attackers are interested.
Update here: PageLayer v1.1.2

LEAVE A REPLY

Please enter your comment!
Please enter your name here