This critical WordPress plugin security bug could let hackers take over your site

Open Lock

(Image credit: Pixabay)

Two vulnerabilities, one critical and one of medium severity, have been discovered in a WordPress plugin that has been installed in over 400,000 sites. 

The Orbit Fox plugin contains security bugs that enable attackers to take control of a website or inject malicious code.

Security researchers at Wordfence, a WordPress security plugin, found that the most worrying of the two flaws allows attackers to elevate their privileges and take over the victim’s site. 

According to the researchers, the vulnerability is contained within the Orbit Fox registration widget and allows lower-level users to gain administrator privileges.

The flaw can be exploited because the plugin only provides client-side protection to prevent the role selector from being shown to low-level users. No server-side validations are in place.

More security flaws

The second vulnerability found within Orbit Fox affects the plugin’s header and footer script feature and allows threat actors to add malicious JavaScript to posts. This code then executes when a user visits the related webpage.

“In today’s post, we detailed two flaws in Orbit Fox by ThemeIsle that granted attackers the ability to escalate privileges and inject potentially malicious JavaScript into posts,” Chloe Chamberland, a threat analyst at Wordfence, explained.

“These flaws have been fully patched in version 2.10.3. We recommend that users immediately update to the latest version available, which is version 2.10.3 at the time of this publication.”

The issues discovered within Orbit Fox are not the first security problems found affecting WordPress plugins recently. Back in December, another popular plugin, Contact Form 7, was found to contain a critical file upload vulnerability that could put users at risk.

January 19, 2021
To Top