A Severe Bug Present In WordPress Plugin Called Orbit Fox Serves Site Takeover

Two security vulnerabilities present in Orbit Fox (one of them is a privilege-escalation error and the other one is a stored XSS bug), which is a WordPress plugin, can enable bad actors to infuse a malicious code in any vulnerable website and also allow to take control of the site. WordPress plugin, Orbit Fox, is a multi-purpose plugin that functions by utilizing site-building tools from Gutenberg, Elementor, and Beaver Builder. The main purpose of this plugin is to serve the website owners with tools to add widgets and registration forms. Developed by ThemeIsle, Orbit Fox has more than 400,000 website installations.

As per analysts at Wordfence, one of the vulnerabilities is a confirmed privilege-escalation defect that conveys a CVSS bug-seriousness score of 9.9. Validated attackers with donor level access or above can lift themselves to admin status and possibly acquire control over a WordPress site. The bug (privilege escalation) exists in the Orbit Fox registration gadget, as indicated by analysts. The tool is utilized to make enrollment forms with adaptable fields when utilizing the Elementor and Beaver Builder page-builder plugins. Site admin can set a default job to be doled out to clients who register on the site via enrollment form.

A post by researchers of Wordfence explained “Lower level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter. The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”

Validation from the server occurs when information is shipped off to the server as a client enters it into an enrollment form. When the server gets the solicitation, it will at that point check for security issues, guarantee that information is designed effectively, and set up the accommodation for embeddings or refreshing into a data source. The absence of server-side approval in Orbit Fox implies that lower-level benefactors, creators, and editors for the site could set the client part to that of a manager upon effective enrollment, only step that an attacker would need to perform will be simply registering themselves as fresh clients and would then be served with admin authorities. Researchers from Wordfence believe “To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins. A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”

The subsequent bug in the plug-in is a confirmed put away cross-site scripting (XSS) issue that permits attackers with donor or creator level access to infuse JavaScript into posts. This infusion could be utilized to divert guests to malvertising destinations or make new authoritative clients, among different activities. It’s evaluated 6.4 on the CVSS scale, making it a bug of medium severity.

The medium-seriousness issue emerges in light of the fact that supporters and creators can add scripts to posts, notwithstanding not having the unfiltered html ability because of the header and footer script element in Orbit Fox, as per Wordfence. “This flaw allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page. As always with XSS vulnerabilities, this would make it possible for attackers to create new administrative users, inject malicious redirects and backdoors, or alter other site content through the use of malicious JavaScript” said Wordfence researchers.

However, both the issues are fixed in variant 2.10.3, those administrators running any previous versions should update to the latest version as soon as possible.

If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.