Overview
Multiple Vulnerabilities on Orbit Fox Plugin in WordPress: Wordfence disclosed two vulnerabilities on the popular WordPress Plugin, Orbit Fox, used by over 400 000 sites. One of these vulnerabilities allows attackers to escalate their privileges to administrator level while the other vulnerability could lead to potentially malicious JavaScript injection into posts by users with low-level privileges.
These vulnerabilities are rated as critical and medium in severity. Therefore, vulnerable versions should be updated immediately to the most recent version of the plugin.
Description
Orbit Fox is a popular plugin used to extend theme functionality with various modules like social media share buttons, uptime monitoring, custom menu icons etc. Currently, it is run on over 400 000 WordPress sites.
According to Wordfence, Orbit Fox 2.10.2 and older versions of the plugin contain two vulnerabilities that could allow attackers to escalate privileges and inject potentially malicious JavaScript into posts.
The first vulnerability exist in the registration widget that is used to create a registration form when using Elementor and Beaver Builder editors. While creating a form, the plugin allows defining a default user role, such as contributor, author, editor etc., to the registering users. However, this default role could be escalated to administrator level by tweaking the HTML requests with appropriate parameters.
{"form_fields[...],"submit_label":"Register","user_role":"administrator"},"elements":This vulnerability arise from the lack of server side validation though client side mechanisms have been implemented properly in the plugin.
The second vulnerability allows users with low-level privileges to inject malicious JavaScript into posts, resulting in security compromises on users browsing the posts with malicious content.
Impact
An authenticated attacker with low-level privileges can gain administrator level access, resulting in full takeover of the targeted WordPress website.
Impact Summary
Category: Authenticated Privilege Escalation
CVSS 3.1 Base Score: 9.9 Critical
CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
An authenticated attacker with low-level privileges can conduct stored Cross Site Scripting (XSS) attack by inject malicious JavaScript into posts.
Impact Summary
Category: Authenticated Stored XSS Attack
CVSS 3.1 Base Score: 6.4 Medium
CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Solution (Update/Workaround)
To defend against possible attacks due to these vulnerabilities, vulnerable Orbit Fox (2.10.2 and older versions) plugin should be updated to the most recent version. Both vulnerabilities have been patched by the ThemeIsle in the Orbit Fox 2.10.3 release.
Also, as a rule of thumb, the attack surface should be decreased by identifying a minimal set of essential and critical plugins to be installed in WordPress. The selected plugins should come from trustworthy sources and and the most trusted version should be installed in your system. Don’t forget that each theme and plugin come with their own vulnerabilities to be exploited by the hackers. Read more on how to secure WordPress sites.
If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders.
Dan Farmer
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
To learn more about how to protect your WordPress site, you can also read How to Secure Your WordPress Site?
