CVE-2024-3338
📋 TL;DR
The Colibri Page Builder WordPress plugin has a stored cross-site scripting vulnerability that allows authenticated attackers with author-level access or higher to inject malicious scripts via image alt text. These scripts execute whenever users view compromised pages, potentially stealing credentials or performing unauthorized actions. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Colibri Page Builder WordPress plugin
📦 What is this software?
Colibri Page Builder by Extendthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions as authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with author access inject malicious scripts that steal user session cookies or credentials when visitors view compromised pages, leading to account takeover.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only trusted users can modify page content.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has author privileges. The vulnerability is in a widely used WordPress plugin.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.0.262
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/extend-builder.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Colibri Page Builder. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the Colibri Page Builder plugin until patched
wp plugin deactivate colibri-page-builder
wp plugin delete colibri-page-builder
Restrict user roles
allLimit author-level access to trusted users only and implement strong authentication
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in image alt parameters
- Regularly audit user accounts with author privileges and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Colibri Page Builder version. If version is 1.0.262 or lower, system is vulnerable.Check Version:
wp plugin get colibri-page-builder --field=versionVerify Fix Applied:
Verify plugin version is higher than 1.0.262. Test image alt field input with basic XSS payloads like <script>alert('test')</script> to ensure sanitization works.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to page content by author-level users
- Multiple failed login attempts followed by successful author login
Network Indicators:
- Unexpected JavaScript execution from page elements
- Suspicious outbound connections after page views
SIEM Query:
source="wordpress" AND (plugin="colibri-page-builder" AND version<="1.0.262") OR (event="page_update" AND user_role="author" AND content_contains="<script>")🔗 References
- https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/extend-builder.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3a066eae-4040-4d76-b730-47d98dc37662?source=cve
- https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/extend-builder.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3a066eae-4040-4d76-b730-47d98dc37662?source=cve
