Monday, February 22, 00:38
Home security WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

Security experts from Wordfence have discovered two vulnerabilities in the WordPress plugin "Orbit Fox". This is a privilege escalation vulnerability and one error cross-site scripting (XSS) affecting over 40.000 installations. The "Orbit Fox" plugin, which allows webmasters to add features such as registration forms and widgets, is installed on over 400.000 websites.

The plugin was developed by them Isle aimed at improving the editors Elementor, Beaver Builder and Gutenberg, and applies add-ons characteristics.

WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

Hackers can exploit both vulnerabilities to insert malicious code into websites that use the vulnerable version of the plugin, and take control.

According to Security Affairs, the vulnerability scaling privileges was rated as "critical" and received a severity score of 9,9 / 10. Additionally the XSS error allows hackers to enter JavaScript in posts. In particular, hackers could exploit this error to carry out multiple malicious actions, such as malicious ad attacks. The error has been rated as "moderate" and has received a score of 6,4 / 10.

WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

The "Orbit Fox" plugin includes a registration widget that can be used to create a registration form with customizable fields when using plugins "Elementor" and "Beaver Builder". When creating the registration form, the plugin provides the ability to define a default role that will be used each time a user registers using the form.

In addition, experts noted that the lack of ratification on his part server in Orbit Fox allows "lower level" users (authors, editors, etc.) to define their role as administrator upon successful registration.

Wordfence also noted that in order for hackers to exploit vulnerabilities, user registration must be enabled and the website running the Elementor or Beaver Builder plugins.

WordPress: Vulnerabilities in Orbit Fox plugin allow download sites!

This vulnerability has allowed lower-level users to add malicious JavaScript to posts that would run in the browser each time a user browsed this page.

The two vulnerabilities were mitigated by the release of version 2.10.3.

Vulnerabilities in WordPress plugins are very dangerous and could allow cybercriminals to commit attacks big scale. In December, the development team for WordPress' Contact Form 7 plugin revealed an "unlimited" file upload vulnerability. This is a plugin that has over 5 million active installations.

Also in November, hackers exploited a zero-day vulnerability in WordPress' s popular "Easy WP SMTP" plugin, which is installed on over 500.000 sites. At the same time, hackers exploited a critical remote execution vulnerability code in the "File Manager" plugin, resulting in more than 300.000 WordPress websites being exposed.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to make a Facetime Audio call

Tired of low quality cell phone calls? Thanks to FaceTime, you can make high-resolution calls if you use iPhone, iPad, ...

How to add special effects to Instagram messages

Did you know that you can make instant Instagram messages more impressive? Like any other Instagram feature, you can add special ...

Only 270 addresses are responsible for 55% of all money laundering

Cybercriminals who keep their money in cryptocurrencies tend to "launder" money through a small set of online services, according to ...

Twitter: Voice messages are coming! How do we send them?

Twitter will soon support voice messages in both iOS and Android applications. This means that you will be able to send ...

How to connect a Bluetooth headset to a Nintendo Switch

The Nintendo Switch has a headphone jack. However, most headphones have become wireless so you will need a way to connect them ...

How to hide your phone number in Telegram

If you wish to create a Telegram account, you must provide your telephone number. In this way, Telegram validates the ...

Google Assistant: How can you delete your recordings?

Google Assistant can make your daily life much easier. However, it also involves some privacy issues, as ...

Microsoft: Office 2021 / Office LTSC coming in the second half of 2021

Microsoft announced that the Microsoft Office Long Term Service Channel (LTSC) and Office 2021 will be released in 2021, for ...

How to quickly create QR codes with Bing

If you ever need to create a QR code, but you do not know how, Microsoft has an easy-to-use tool available in any program ...

Brave: Onion addresses leaked to DNS traffic

The Tor function included in the Brave web browser, allows users to access .onion dark web domains within ...