XSS vulnerability affects Beaver Builder WordPress Page Builder
2 mins read

XSS vulnerability affects Beaver Builder WordPress Page Builder

The popular Beaver Builder WordPress Page Builder has been found to contain an XSS vulnerability that could allow an attacker to inject scripts into the website that are executed when a user visits a webpage.

Beaver farmer

Beaver Builder is a popular plugin that allows anyone to create a professional-looking website using an easy-to-use drag-and-drop interface. Users can start with a pre-made template or build a website from scratch.

Saved Cross-Site Scripting (XSS) vulnerability.

Security researchers at Wordfence have published a notice of an XSS vulnerability affecting the Page Builder plugin. An XSS vulnerability is typically found in a part of a theme or plugin that allows user input. The error occurs when there is insufficient filtering of what can be input (a process called input sanitization). Another error that leads to an XSS is inadequate output escaping. This is a plugin output security measure that prevents malicious scripts from being redirected to a website browser.

This particular vulnerability is known as Stored XSS. Stored means that an attacker can inject a script directly into the web server. This is different from reflected XSS, which requires a victim to click on a link to the attacked website to execute a malicious script. A stored XSS (as per Beaver Builder) is generally considered more dangerous than a reflected XSS.

The vulnerabilities that led to an XSS vulnerability in Beaver Builder were due to inadequate input sanitization and output escaping.

Wordfence described the vulnerability:

“The Beaver Builder – WordPress Page Builder plugin for WordPress, in all versions up to and including 2.8.0.5, is vulnerable to saved cross-site scripting via the plugin's button widget due to insufficient sanitization of input and output when requested by the user “This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages that are executed whenever a user accesses an injected page.”

The vulnerability is rated 6.4, which corresponds to a medium level threat. Attackers must obtain at least contributor-level privilege levels to launch an attack, making this vulnerability somewhat more difficult to exploit.

Beaver Builder's official changelog, which documents what is included in an update, notes that a patch was released in version 2.8.0.7.

The changelog notes:

“Fix XSS issue in button and button group modules when using Lightbox”

Recommended action: In general, it's a good idea to update and patch a vulnerability before an attacker can exploit it. It's a good idea to deploy the website first before going live with an update in case the updated plugin conflicts with another plugin or theme.

Read the Wordfence advice:

Beaver Builder – WordPress Page Builder <= 2.8.0.5 – Authenticated (Contributor+) Saved Cross-Site Scripting via Button

See also:

Featured image from Shutterstock/Prostock-studio