CVE-2021-24208

Name of the Vulnerable Software and Affected Versions: WP Page Builder WordPress plugin versions prior to 1.2.4

Description: The issue allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets. The “Custom HTML” widget requires sending a crafted request, as it uses client-side validation but not server-side validation. This insertion is done via the page builder data parameter when performing the wppb page save AJAX action. Additionally, malicious JavaScript can be inserted via the wppb page css parameter by closing out the style tag and opening a script tag during the wppb page save AJAX action.

Recommendations: For versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider disabling the wppb page save AJAX action or restricting access to the page builder data and wppb page css parameters until a patch is available. Restrict the use of the “Raw HTML” and “Custom HTML” widgets to minimize the risk of exploitation.