Vulnerability Description
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Siteorigin | Page Builder | < 2.10.16 |
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/siteorigin-panels/#developersRelease NotesThird Party Advisory
- https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-builder-bExploitThird Party Advisory
- https://wordpress.org/plugins/siteorigin-panels/#developersRelease NotesThird Party Advisory
- https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-builder-bExploitThird Party Advisory
FAQ
What is CVE-2020-13643?
CVE-2020-13643 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of a...
How severe is CVE-2020-13643?
CVE-2020-13643 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13643?
Check the references section above for vendor advisories and patch information. Affected products include: Siteorigin Page Builder.