WordPress Website Builder Vulnerability Affects Nearly 1 Million Websites - Search Engine Journal

Join us for this informative webinar, as link building expert Jon Ball will reveal the closely guarded secrets that have propelled Page One Power to become a highly successful $10 million agency.
Join us as we explore exclusive survey data from today’s top SEO professionals and digital marketers to inform your strategy this year.
Join us as we explore how to scale the very time-consuming and complicated process of earning links from digital PR, with proven case studies showing how you can earn hundreds of links in 30 days.
Join us as we explore exclusive survey data from today’s top SEO professionals and digital marketers to inform your strategy this year.
Join us for this informative webinar, as link building expert Jon Ball will reveal the closely guarded secrets that have propelled Page One Power to become a highly successful $10 million agency.
Join us for this informative webinar, as link building expert Jon Ball will reveal the closely guarded secrets that have propelled Page One Power to become a highly successful $10 million agency.
High severity vulnerability discovered in Website Builder by SeedProd WordPress plugin can lead to unauthorized modification of data
A significant vulnerability has been patched in the Website Builder by SeedProd that has over 900,000 installations. This vulnerability, present in versions up to and including 6.15.21, poses a risk for unauthorized data modification on WordPress sites.
The vulnerability that was discovered is called a missing capability check within the ‘seedprod_lite_new_lpage’ function.
Capabilities are specific actions that users or roles are allowed to perform. A capability check is an important security feature in WordPress for managing permissions and access controls. They determine if a user has the authority to perform specific action.
It’s similar to a role check in that a role check verifies the user’s role (like administrator, editor, etc.), while a capability check verifies whether the user has specific permissions. A capability check provides a more granular control over permissions compared to a role check.
The missing capability check allows unauthenticated attackers to potentially modify the content of various pages created using the plugin, such as coming-soon or maintenance pages. The absence of this security feature exposes websites to risks of data tampering.
Unauthorized modification of data is a serious security issue. It arises from a flaw where unauthorized individuals can alter data, leading to potential exploits. Addressing this kind of vulnerability in the Website Builder plugin is highly recommended.
The vulnerability is rated 8.2 out of a scale of 1- 10, with a severity rating classified as ‘High’ according to the Common Vulnerability Scoring System (CVSS). The high rating indicates how serious the potential impact is.
This vulnerability is so new that there is currently no entry in the National Vulnerability Database for the assigned CVE number CVE-2024-1072.
However, Wordfence WordPress security researchers emphasized the seriousness of the Website Builder by SeedProd vulnerability:
“This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin.”
The publisher of the Website Builder by SeedProd has responded by releasing an updated version, 6.15.22, which addresses this vulnerability. The update includes a security nonce to mitigate the risk, and users of the plugin are strongly advised to update immediately to secure their website against attacks.
Regarding the nonce, WordPress explains what it is:
A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise.
…They help protect against several types of attacks…”
Read the announcement by Wordfence:
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 – Missing Authorization via seedprod_lite_new_lpag
Read the official SeedProd Changelog
Featured Image by Shutterstock/Nikulina Tatiana
Roger Montti is a search marketer with over 20 years experience. I offer site audits and phone consultations.  See me ...
Conquer your day with daily search marketing news.
Join Our Newsletter.
Get your daily dose of search know-how.
In a world ruled by algorithms, SEJ brings timely, relevant information for SEOs, marketers, and entrepreneurs to optimize and grow their businesses -- and careers.
Copyright © 2024 Search Engine Journal. All rights reserved. Published by Alpha Brand Media.

source