BNG ENT

Main Menu

  • Home
  • Community forum
  • Forum workshop
  • Forum sites
  • Forum committee
  • Forum hosting

BNG ENT

Header Banner

BNG ENT

  • Home
  • Community forum
  • Forum workshop
  • Forum sites
  • Forum committee
  • Forum hosting
Forum sites
Home›Forum sites›Vulnerability of WordPress template plugin reaches +1 million sites

Vulnerability of WordPress template plugin reaches +1 million sites

By Corrine K. Thomas
November 14, 2021
0
0


Starter Templates – Elementor, Gutenberg & Beaver Builder Templates plugin from WordPress theme editors Astra contains a vulnerability affecting over one million websites. The exploit allows an attacker to download malicious scripts, organize a total takeover of the site, and attack visitors of the vulnerable website.

Starter Templates – Elementor, Gutenberg and Beaver Builder Templates

The Starter Templates plugin is published by Brainstorm Force, the creators of the ever popular Astra WordPress theme. The plugin allows users to use over 280 WordPress templates which help speed up website development.

The templates are designed to be compatible with Elementor, Gutenberg, Brizy, and Beaver Builder, as well as the Astra theme.

Advertising

Continue reading below

The plugin is installed on over a million websites.

Vulnerability of Stored Cross-Site Scripting (XSS)

The Brainstorm Force Starter Templates plugin was discovered by Wordfence security researchers to contain a type of vulnerability that allows an attacker to download malicious script which is in turn stored on the website itself.

A stored XSS vulnerability is particularly troublesome because the downloaded script is stored on the server of the attacked site itself.

The nonprofit Open Web Application Security Project (OWASP) describes the severity of this kind of XSS vulnerability on their site:

“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message board, in a visitor log, in a comment field, etc.”

The victim then retrieves the malicious script from the server when it requests the stored information.

Advertising

Continue reading below

Website takeover and attacks on website visitors

The vulnerability could result in a complete takeover of the site and use the vulnerable website to launch attacks against all site visitors.

According to the Wordfence report:

“An attacker could create and host a block containing malicious JavaScript on a server they controlled, then use it to overwrite any post or page…

Any post or page created with Elementor, including published pages, could be overwritten by the imported block, and malicious JavaScript in the imported block would be executed in the browsers of all visitors to that page.

This could be used to redirect site visitors to malicious websites, or hijack an administrator’s session in order to create a new malicious administrator or add a backdoor to the site, leading to a takeover of the site.

Starter template plugin fixed

The editors of the Starter Templates plugin were notified by Wordfence of the vulnerability and they quickly patched the plugin in version 2.7.1.

The public changelog for the Starter Templates plugin accurately saves the patch:

v2.7.1 – 7-October-2021
– Improved security: Validate the URL of the site before processing the import request.
– Improved security: updated the right file download permission before importing images.

An honest changelog like the one published by Brainstorm Force is a sign of a quality editor and it’s great to see them open about fixing security issues.

Wordfence advises publishers to update their plugin

Wordfence recommends that all publishers using this plugin update to the latest version of the plugin to 2.7.5 as this latest version also contains important bug fixes.

Advertising

Continue reading below

Quote

Read Wordfence’s Bootstrap Model Vulnerability Report

Over 1 Million Sites Affected by Vulnerability in Starter Templates Plugin


Related posts:

  1. Landscape architect whose designs reclaim toxic sites wins international award
  2. The fascinating but little-known sites that show how the Romans lived in Wales
  3. Arab coalition strikes military sites in Houthi-held Sanaa
  4. Muslims banned from access to Friday prayer sites in Gurgaon, India | Islamophobia News

Categories

  • Community forum
  • Forum committee
  • Forum hosting
  • Forum sites
  • Forum workshop

Recent Posts

  • Joint Statement of Cross-Border Syria NGOs
  • Vacaville Hosts Virtual Community Health Workshop – The Vacaville Reporter
  • Pastor hosts community forum with local LEOs
  • Four Minnesota towns get state money to survey oil spill sites – InForum
  • Ekurhuleni committee pledges to fight drug addiction – Germiston City News

Archives

  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • December 2020
  • October 2020
  • August 2020
  • June 2020
  • May 2020
  • February 2020
  • October 2019
  • September 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • December 2018
  • August 2018
  • May 2018
  • March 2018
  • April 2016
  • November 2015
  • Privacy Policy
  • Terms and Conditions