Researchers have uncovered two severe vulnerabilities in the PageLayer WordPress plugin that could allow hackers to hijack websites that employ its design features.
The affected plugin is used to build custom web pages via a simple drag-and-drop mechanism – a boon for users without programming expertise – and is deployed across more than 200,000 websites.
Identified by security firm Wordfence, the two bugs could also be manipulated by cybercriminals to inject rigged code, meddle with existing website content, and even perform a total content erasure.
WordPress plugin bugs
According to the researchers responsible for the discovery, the pair of vulnerabilities stem from unprotected AJAX actions, nonce disclosure, and a lack of measures to safeguard against Cross-Site Request Forgery (CSRF).
Hackers could reportedly exploit these oversights to perform all manner of malicious activities, including creating admin accounts, funnelling visitors to dangerous domains and invading a user’s computer via the web browser.
“One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things,” explained Wordfence.
“A second flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.”
The security firm disclosed the flaws on April 30 and PageLayer subsequently issued a patch on May 6, with version 1.1.2. However, despite three weeks having passed since the patch was issued, only roughly 85,000 users have updated to the latest version, leaving circa 120,000 still at risk.
To safeguard against site takeover, PageLayer users are advised to update the plugin to the latest version immediately.