PT-2020-13633 · Siteorigin · Siteorigin Page Builder

Published

2020-05-28

Updated

2020-05-28

CVE-2020-13643

CVSS v3.1

8.8

High

Vector

AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:R

Name of the Vulnerable Software and Affected Versions SiteOrigin Page Builder plugin versions prior to 2.10.16

Description An issue in the live editor feature of the SiteOrigin Page Builder plugin allows requests to be forged on behalf of an administrator due to the lack of nonce verification. The live editor panels data $ POST variable can be exploited to execute malicious JavaScript in the victim's browser.

Recommendations For versions prior to 2.10.16, update to version 2.10.16 or later to resolve the issue. As a temporary workaround, consider disabling the live editor feature until a patch is available. Restrict access to the live editor panels data $ POST variable to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2020-13643

Affected Products

Siteorigin Page Builder

PT-2020-13633 · Siteorigin · Siteorigin Page Builder

CVE-2020-13643

Weakness Enumeration

Related Identifiers

Affected Products

References · 5