Critical Security Flaw Exposed in Popular WordPress Plugin Affects Over 900K Sites: Urgent Update Recommended

A significant vulnerability has been discovered in the Website Builder by SeedProd, a popular WordPress plugin with over 900,000 installations. The vulnerability, identified as CVE-2024-1072, is rated 8.2 out of 10 on the severity scale according to the Common Vulnerability Scoring System (CVSS), indicating a high potential impact.

The vulnerability was present in versions up to and including 6.15.21 and posed a risk for unauthorized data modification on WordPress sites. The root cause of the vulnerability was a missing capability check within the 'seedprod_lite_new_lpage' function. In WordPress, capabilities are specific actions that users or roles are allowed to perform. A capability check is an important security feature for managing permissions and access controls. It verifies whether a user has specific permissions, providing a more granular control over permissions compared to a role check.

The absence of this capability check meant that even unauthenticated users could potentially modify the content of WordPress sites, manipulating coming-soon or maintenance pages into unrecognizable versions of their former selves.

In response to the discovery of this vulnerability, the publisher of the Website Builder by SeedProd released an updated version, 6.15.22, which addresses this issue. The update includes a security nonce to mitigate the risk. A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise. Users of the plugin are strongly advised to update immediately to secure their website against attacks.

This vulnerability underscores the importance of regular updates and security checks for all WordPress plugins. It also highlights the critical role of security researchers in identifying and addressing potential threats to the security of websites. The Wordfence WordPress security researchers, for instance, played a key role in emphasizing the seriousness of this vulnerability.

In conclusion, the discovery of this high-severity vulnerability in the Website Builder by SeedProd plugin serves as a reminder of the ongoing threats to website security. It underscores the importance of maintaining up-to-date plugins and implementing robust security measures to protect against potential attacks.