Lucene search

K
wpexploitRamuel GallWPEX-ID:21E7A46F-E9A3-4B20-B44A-A5B6CE7B7CE6
HistoryMar 17, 2021 - 12:00 a.m.

WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts

2021-03-1700:00:00
Ramuel Gall
288

0.001 Low

EPSS

Percentile

24.8%

By default, the plugin allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages. A subscriber, upon registering an account with a site with the WP Pagebuilder plugin, could immediately modify or delete existing content on the site.

It is possible for a subscriber-level user to access the editor simply by visiting the post editor’s URL for a given post or page and supplying β€œwppb_editor” in the β€œaction” parameter e.g. wp-admin/post.php?post=610&action=wppb_editor. 

0.001 Low

EPSS

Percentile

24.8%

Related for WPEX-ID:21E7A46F-E9A3-4B20-B44A-A5B6CE7B7CE6