A high-severity vulnerability has been identified and successfully patched in the widely-used Website Builder by SeedProd WordPress plugin. With over 900,000 installations, this vulnerability, present in versions up to and including 6.15.21, posed a significant risk of unauthorized data modification on WordPress sites. In this article, we explore the details of the vulnerability, its impact, and the recommended actions for users.
Vulnerability Details: Missing Capability Check
The critical vulnerability lies in a missing capability check within the ‘seedprod_lite_new_lpage’ function of the Website Builder by SeedProd plugin. Capabilities, defining specific actions authorized users or roles can perform, are pivotal in WordPress security. A capability check ensures granular control over permissions, determining whether a user has the authority to execute specific actions.
Unauthorized Data Modification
The absence of the capability check exposed a loophole that could be exploited by unauthenticated attackers. This vulnerability potentially enabled them to modify the content of various pages created using the plugin, including coming-soon or maintenance pages. Unauthorized data modification is a serious security concern, as it opens avenues for potential exploits and compromises the integrity of website content.
Severity and Impact: High-Risk Exposure
Rated 8.2 out of a scale of 1-10, with a severity classification of ‘High’ according to the Common Vulnerability Scoring System (CVSS), this vulnerability poses a substantial risk. Although the CVE number CVE-2024-1072 is so recent that it lacks an entry in the National Vulnerability Database, security researchers from Wordfence highlight its severity. The vulnerability allows unauthenticated attackers to manipulate the content of crucial pages, such as coming-soon, maintenance, login, and 404 pages.
Recommendation For Website Builder Plugin Users
In response to the identified vulnerability, the publisher of the Website Builder by SeedProd promptly released an updated version, 6.15.22. This update introduces a security nonce, a “number used once” to protect against URL and form misuse. Users of the plugin are strongly urged to update to version 6.15.22 immediately. This swift action is crucial to securing websites against potential attacks exploiting the now-patched vulnerability.
WordPress Explanation on Nonce:
A nonce serves as a protective measure against various types of attacks, ensuring the integrity of URLs and forms. As described by WordPress, nonces are instrumental in defending against misuse, whether malicious or otherwise.
The identification and swift patching of this high-severity vulnerability in the Website Builder by SeedProd plugin underscore the importance of regular security updates. Website owners using this popular WordPress plugin are urged to prioritize the installation of version 6.15.22 to mitigate the risk of unauthorized data modification and bolster the overall security posture of their websites.