CVE-2024-4451
📋 TL;DR
The Colibri Page Builder WordPress plugin has a stored XSS vulnerability in its video player shortcode. Authenticated attackers with contributor access or higher can inject malicious scripts that execute when users view compromised pages. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Colibri Page Builder WordPress Plugin
📦 What is this software?
Colibri Page Builder by Extendthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or redirect visitors to phishing sites.
If Mitigated
With proper user role management and content review, impact is limited to potential defacement of specific pages.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.277 or higher
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3097694/colibri-page-builder/trunk/extend-builder/shortcodes/video.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Colibri Page Builder. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the colibri_video_player shortcode functionality
Add to theme functions.php: remove_shortcode('colibri_video_player');
Restrict user roles
allTemporarily remove contributor role access or limit to trusted users only
Use WordPress role management plugins or manually edit user capabilities
🧯 If You Can't Patch
- Implement strict content review process for all posts/pages created by contributors
- Deploy WAF rules to block XSS payloads in POST requests to WordPress admin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Colibri Page Builder version 1.0.276 or lowerCheck Version:
wp plugin list --name=colibri-page-builder --field=versionVerify Fix Applied:
Confirm plugin version is 1.0.277 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with script tags in parameters
- Multiple page edits from contributor accounts in short time
Network Indicators:
- Outbound connections to suspicious domains from WordPress pages
- Script injection patterns in HTTP traffic
SIEM Query:
source="wordpress" AND ("colibri_video_player" OR "script" OR "onerror")🔗 References
- https://plugins.trac.wordpress.org/changeset/3097694/colibri-page-builder/trunk/extend-builder/shortcodes/video.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0afd981e-3ae8-4450-9750-23ff6fe612dc?source=cve
- https://plugins.trac.wordpress.org/changeset/3097694/colibri-page-builder/trunk/extend-builder/shortcodes/video.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0afd981e-3ae8-4450-9750-23ff6fe612dc?source=cve
