A significant vulnerability has been patched in the Website Builder by SeedProd that has over 900,000 installations. This vulnerability, present in versions up to and including 6.15.21, poses a risk for unauthorized data modification on WordPress sites.
The vulnerability that was discovered is called a missing capability check within the ‘seedprod_lite_new_lpage’ function.
Capabilities are specific actions that users or roles are allowed to perform. A capability check is an important security feature in WordPress for managing permissions and access controls. They determine if a user has the authority to perform specific action.
It’s similar to a role check in that a role check verifies the user’s role (like administrator, editor, etc.), while a capability check verifies whether the user has specific permissions. A capability check provides a more granular control over permissions compared to a role check.
The missing capability check allows unauthenticated attackers to potentially modify the content of various pages created using the plugin, such as coming-soon or maintenance pages. The absence of this security feature exposes websites to risks of data tampering.
Unauthorized modification of data is a serious security issue. It arises from a flaw where unauthorized individuals can alter data, leading to potential exploits. Addressing this kind of vulnerability in the Website Builder plugin is highly recommended.
The vulnerability is rated 8.2 out of a scale of 1- 10, with a severity rating classified as ‘High’ according to the Common Vulnerability Scoring System (CVSS). The high rating indicates how serious the potential impact is.
This vulnerability is so new that there is currently no entry in the National Vulnerability Database for the assigned CVE number CVE-2024-1072.
However, Wordfence WordPress security researchers emphasized the seriousness of the Website Builder by SeedProd vulnerability:
“This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin.”
The publisher of the Website Builder by SeedProd has responded by releasing an updated version, 6.15.22, which addresses this vulnerability. The update includes a security nonce to mitigate the risk, and users of the plugin are strongly advised to update immediately to secure their website against attacks.
Regarding the nonce, WordPress explains what it is:
A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise.
…They help protect against several types of attacks…”
Read the announcement by Wordfence:
Featured Image by Shutterstock/Nikulina Tatiana
Ranking in Google is the same (or at least very similar) for everyone. That’s why it’s essential to have an SEO plan template you can use time and time again. So… we created one for you. Download the SEO plan template Looking for a different format? Request it here. Why you should use our template It gives you...
Product pages are where the final decision to purchase a product is made. By optimizing them for SEO (and adding a sprinkling of UX), you’ll increase the chances of attracting more visitors and converting them into loyal customers. In this beginner’s guide, I’ll share 16 elements that collectively make up the anatomy of a well-optimized...