WP Bakery WordPress Vulnerability Affects Millions of Sites

WP Bakery

WP Bakery Page Builder WordPress module weakness influences more than 4 million destinations. Scientists found a defect in WP Bakery page manufacturer that permits an assailant to infuse malignant JavaScript into pages and posts. The flaw allows an aggressor to infuse code into pages and posts that, at that point, assaults site guest programs. A manager executes a controlled site; assailants might likewise make sure about head rights. After Wordfence enlightened the designers regarding the WordPress vulnerability of WP bakery, they delivered an update for the module.

Authenticated Stored Cross-Site Scripting Vulnerability

Cross-webpage scripting vulnerability is described by an aggressor picking up the capacity to focus on the programs of guests using malevolent contents that were clandestinely positioned on a site. XSS assaults are among the most common sort of weaknesses.

This particular assault is called an Authenticated Stored Cross-Site Scripting Vulnerability. A Stored XSS weakness is one in which content is set in the website itself by an assailant. In any case, this is an Authenticated Stored XSS weakness, implying that the assailant must have site accreditations to execute the assault. This makes it, to a lesser degree, a basic danger since it requires an assailant to make the additional stride of procuring qualifications.

WP Bakery Authenticated Stored XSS weakness

This particular WP Bakery vulnerabilities necessitates that the assailant acquires benefactor or creator level presenting qualifications on a site. When an assailant has the certifications, they can infuse contents on any posts or pages. It likewise enables the aggressor to change the posts made by different clients. WPBakery page builder is the most popular page builder for WordPress. This weakness was made out of various imperfections.

The defects permitted the infusion of HTML and JavaScript into credentialed client’s posts or pages and to those of different creators. There was additionally another particular imperfection that focused on catches that had a JavaScript usefulness connected to it.

As indicated by WordFence: “The module likewise had custom click usefulness for catches. This made it workable for an aggressor to infuse vindictive JavaScript in a net that would execute on a tick of the net. Besides, giver and creator level clients had the option to utilize the vc_raw_html, vc_raw_js, and button using custom click shortcodes to add vindictive JavaScript to the posts.

WordPress Bakery Page Builder 6.4 and Under Are Affected-

The WordPress vulnerability was found in late July 2020. WP Bakery gave a fix in late August, yet different issues remained, remembering for a subsequent spot gave toward the beginning of September. The last fix that shut the weakness was given on September 24, 2020. Module programming designers distribute a changelog. The changelog content is the thing that appears in the WordPress administrator module region that imparts what an update is about. Lamentably, WP Bakery’s changelog doesn’t mirror the desperation of the update since it doesn’t unequivocally say that it is fixing a weakness. The changelog alludes to the weakness patches as upgrades.


In the post, we explained a defect in the WP Bakery Plugin that gave confirmed clients the capacity to infuse malignant JavaScript into posts utilizing the WP Bakery Page developer. Alongside that, we provided some understanding of how you can secure yourself against Contributor and Author level weaknesses.

Read Also: Different Types of Social Media Marketing

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on whatsapp
Sanam Marvi

Sanam Marvi

Content, PR & Digital Marketing manager with a decade of diverse experience in the technology field and work for Megabyte.

Let us Help Your Business Grow

Follow Us​

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp

Recent Articles