Security experts from Wordfence have discovered two vulnerabilities in the WordPress plugin "Orbit Fox". This is a privilege escalation vulnerability and one error cross-site scripting (XSS) affecting over 40.000 installations. The "Orbit Fox" plugin, which allows webmasters to add features such as registration forms and widgets, is installed on over 400.000 websites.
The "Orbit Fox" plugin includes a registration widget that can be used to create a registration form with customizable fields when using plugins "Elementor" and "Beaver Builder". When creating the registration form, the plugin provides the ability to define a default role that will be used each time a user registers using the form.
In addition, experts noted that the lack of ratification on his part server in Orbit Fox allows "lower level" users (authors, editors, etc.) to define their role as administrator upon successful registration.
Wordfence also noted that in order for hackers to exploit vulnerabilities, user registration must be enabled and the website running the Elementor or Beaver Builder plugins.
The two vulnerabilities were mitigated by the release of version 2.10.3.
Vulnerabilities in WordPress plugins are very dangerous and could allow cybercriminals to commit attacks big scale. In December, the development team for WordPress' Contact Form 7 plugin revealed an "unlimited" file upload vulnerability. This is a plugin that has over 5 million active installations.
Also in November, hackers exploited a zero-day vulnerability in WordPress' s popular "Easy WP SMTP" plugin, which is installed on over 500.000 sites. At the same time, hackers exploited a critical remote execution vulnerability code in the "File Manager" plugin, resulting in more than 300.000 WordPress websites being exposed.