Home Hacking News PageLayer WordPress Plugin Vulnerabilities Risked Over 200K Websites
Hacking NewsLatest Cyber Security News | Network Security HackingNewsVulnerabilities

PageLayer WordPress Plugin Vulnerabilities Risked Over 200K Websites

by Abeerah Hashim
written by Abeerah Hashim
LayerSlider WordPress plugin had an SQL injection vulnerability

Continuing with the trail of vulnerable plugins, now joins PageLayer. Researchers found some serious vulnerabilities in PageLayer WordPress plugin that posed a threat to more than 200,000 websites.

PageLayer Plugin Vulnerabilities

Reportedly, team Wordfence has come up with another interesting finding regarding a WordPress plugin. This time, they found a couple of vulnerabilities in the PageLayer WordPress plugin that threatened thousands of websites. They have shared the details in a recent blog post.

Briefly, they found two different vulnerabilities in the plugin.

The first of these is a high-severity bug with a CVSS score of 7.4. It existed because of the absence of permission checks on all AJAX endpoints in the plugin. Hence, a user with any level of access to the site could perform any actions. As stated in the post,

These AJAX endpoints only checked to see if a request was coming from /wp-admin through an authenticated session and did not check the capabilities of the user sending the request.

Even a subscriber-level user could gain access to the site and meddle with site contents. This includes deleting the content or injecting malicious content to the existing pages.

The second vulnerability, also a high-severity bug with a CVSS score of 8.8, existed due to the absence of CSRF protection. Hence an adversary could inject malicious scripts to the site pages, that would execute whenever someone would visit the page.

Patch Rolled Out

Upon discovering the vulnerabilities, Wordfence contacted the plugin developers who then worked on the fixes.

Consequently, they implemented permission checks on all functions linked with site changes and added nonces for separate public and admin access. Besides, they implemented CSRF protection addressing the second vulnerability.

The developers released both the fixes with Page Builder: PageLayer version 1.1.2. Since then, they have made further improvements as well. Hence the latest version now available is 1.1.4. Users should ensure upgrading to this plugin version at the earliest to receive all the updates.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Multiple Vulnerabilities Found In Forminator WordPress Plugin

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...