A WordPress plugin WPBakery Authenticated Stored Cross-Site Scripting (XSS) vulnerability has exposed over 4M sites.
WPBakery is a popular page builder plugin for WordPress installed on over 4 million websites and is used to create website content via drag and drop functionality.
Security researchers from Wordfence discovered the WPBakery vulnerability on July 27, 2020.
“This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts,” Wordfence described the vulnerability in a blog post.
Wordfence then reported full details of the issue to the plugin maker on July 29, 2020.
Soon afterwards, the WPBakery development team started working on a fix on July 31, 2020 and then released a patch on September 24, 2020.
Users are highly urged to upgrade to version 6.4.1 or later versions as they are made available. Administrators should also look for any unauthorized contributor or author user accounts added to your WordPress site.
Also last week, Wordfence reported High severity XSS vulnerability fixes for WordPress plugins Post Grid and Team Showcase on October 5, 2020.