HomesecurityWordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

Security experts from Wordfence have discovered two vulnerabilities in the WordPress plugin "Orbit Fox". This is a privilege escalation vulnerability and one error cross-site scripting (XSS) affecting over 40.000 installations. The "Orbit Fox" plugin, which allows webmasters to add features such as registration forms and widgets, is installed on over 400.000 websites.

The plugin was developed by them Isle aimed at improving the editors Elementor, Beaver Builder and Gutenberg, and applies add-ons characteristics.

WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

Hackers can exploit both vulnerabilities to insert malicious code into websites that use the vulnerable version of the plugin, and take control.

According to Security Affairs, the vulnerability scaling privileges was rated as "critical" and received a severity score of 9,9 / 10. Additionally the XSS error allows hackers to enter JavaScript in posts. In particular, hackers could exploit this error to carry out multiple malicious actions, such as malicious ad attacks. The error has been rated as "moderate" and has received a score of 6,4 / 10.

WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

The "Orbit Fox" plugin includes a registration widget that can be used to create a registration form with customizable fields when using plugins "Elementor" and "Beaver Builder". When creating the registration form, the plugin provides the ability to define a default role that will be used each time a user registers using the form.

In addition, experts noted that the lack of ratification on his part server in Orbit Fox allows "lower level" users (authors, editors, etc.) to define their role as administrator upon successful registration.

Wordfence also noted that in order for hackers to exploit vulnerabilities, user registration must be enabled and the website running the Elementor or Beaver Builder plugins.

WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

This vulnerability has allowed lower-level users to add malicious JavaScript to posts that would run in the browser each time a user browsed this page.

The two vulnerabilities were mitigated by the release of version 2.10.3.

Vulnerabilities in WordPress plugins are very dangerous and could allow cybercriminals to commit attacks big scale. In December, the development team for WordPress' Contact Form 7 plugin revealed an "unlimited" file upload vulnerability. This is a plugin that has over 5 million active installations.

Also in November, hackers exploited a zero-day vulnerability in WordPress' s popular "Easy WP SMTP" plugin, which is installed on over 500.000 sites. At the same time, hackers exploited a critical remote execution vulnerability code in the "File Manager" plugin, resulting in more than 300.000 WordPress websites being exposed.

Every accomplishment starts with the decision to try.