Authenticated Stored Cross-Site Scripting (XSS) Vulnerability
Cross-site scripting vulnerabilities are characterized by an attacker gaining the ability to target the browsers of visitors through the use of malicious scripts that were surreptitiously placed on a website.
XSS attacks are among the most prevalent type of vulnerabilities.
This specific attack is called an Authenticated Stored Cross-Site Scripting Vulnerability. A Stored XSS vulnerability is one in which a script is placed in the website itself by an attacker.
But this is an Authenticated Stored XSS vulnerability, meaning that the attacker must have website credentials in order to execute the attack.
This makes it less of a critical risk because it requires an attacker to take the extra step of acquiring credentials.
WP Bakery Authenticated Stored XSS vulnerability
This specific WP Bakery vulnerability requires that the attacker obtain contributor or author level posting credentials to a website.
Once an attacker has the credentials they are able to inject scripts on any posts or pages. It also gives the attacker the ability to alter the posts created by other users.
This vulnerability was composed of multiple flaws.
According to WordFence:
WP Bakery Page Builder 6.4 and Under Are Affected
The vulnerability was discovered in late July 2020. WP Bakery issued a patch in late August but other problems still remained, including in a second patch issued in early September.
The final patch that closed the vulnerability was issued on September 24, 2020.
Plugin software developers publish a changelog. The changelog content is what shows up in the WordPress admin plugin area that communicates what an update is about.
Unfortunately, WP Bakery’s changelog does not reflect the urgency of the update because it does not explicitly say that it is patching a vulnerability. The changelog refers to the vulnerability patches as improvements.
Screenshot of WP Bakery Page Builder Changelog
The WP Bakery Page Builder plugin is often included in themes. Publishers should check their plugins and make sure they the latest and safest version which is 6.4.1.