CVE-2024-2202 in Page Builder Plugininfo

Summary

by MITRE • 03/23/2024

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image widget in all versions up to, and including, 2.29.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/13/2025

The Page Builder by SiteOrigin plugin represents a widely used WordPress construction tool that enables users to create complex layouts through drag-and-drop functionality. This particular vulnerability exists within the legacy Image widget component of the plugin's codebase, affecting all versions up to and including 2.29.6. The flaw manifests as a stored cross-site scripting vulnerability that exploits inadequate input sanitization mechanisms and insufficient output escaping routines. Security researchers identified that authenticated attackers possessing contributor-level privileges or higher can leverage this weakness to inject malicious scripts into web pages through the plugin's interface. The vulnerability specifically targets the legacy Image widget functionality, which processes user input without proper validation, creating a persistent threat vector that remains active until the affected plugin version is updated or the malicious content is manually removed.

The technical implementation of this vulnerability stems from the plugin's failure to properly sanitize user-supplied data before storing it in the WordPress database. When administrators or contributors utilize the legacy Image widget to configure image properties, the input values are not adequately filtered through security validation processes. This insufficient sanitization allows malicious payloads to be stored directly within the WordPress content management system, making the scripts persistent across page loads. The output escaping mechanism fails to properly encode the stored data when rendering pages, enabling the malicious JavaScript code to execute in the context of legitimate users' browsers. This stored XSS vulnerability operates at the application layer and can be exploited through the WordPress administrative interface where the plugin is installed and configured.

The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent threat that can compromise user sessions and potentially lead to complete system compromise. Authenticated attackers with contributor privileges can inject scripts that might steal cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious domains. The vulnerability affects any user who accesses pages containing the injected content, making it particularly dangerous in multi-user environments where administrators may inadvertently view compromised pages. The stored nature of the vulnerability means that even if the initial injection occurs during a brief maintenance window, the malicious code continues to execute whenever users access affected pages, creating a long-term security risk for all WordPress installations using the vulnerable plugin version.

Mitigation strategies for this vulnerability require immediate action from WordPress site administrators to update the Page Builder by SiteOrigin plugin to a patched version that addresses the input sanitization and output escaping deficiencies. Organizations should implement strict access controls and privilege management to limit contributor-level access to trusted personnel only, as this vulnerability requires at least contributor privileges to exploit successfully. Security monitoring should include regular scanning for malicious code injection patterns and verification of plugin integrity through checksum validation. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and it maps to ATT&CK technique T1566.001 which covers social engineering through spearphishing attachments and links. Additionally, organizations should conduct comprehensive security audits of all installed plugins and themes to identify similar sanitization and escaping weaknesses that could provide similar attack vectors. System administrators should also consider implementing content security policies and regular security assessments to prevent unauthorized modifications to WordPress installations.

Responsible

Wordfence

Reservation

03/05/2024

Disclosure

03/23/2024

Moderation

accepted

CPE

ready

EPSS

0.00430

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!