Orbit Fox Plugin Vulnerabilities Expose 40,000 WordPress Sites

orbit fox plugin vulnerabilitiesSecurity researchers from Wordfence discovered that the Orbit Fox WordPress plugin contained two vulnerabilities. One of them could lead to privilege escalation (rated critical), and the other one is a stored XSS flaw (rated medium).
The Orbit Fox plugin has 40,000 installations, meaning that all these websites should check whether they are running the latest plugin version – 2.10.3.

Orbit Fox by ThemeIsle is a multi-featured plugin that works with Elementor, Beaver Builder, and Gutenberg. Its purpose is to allow site admins to add various features, like registration forms, widgets.

Orbit Fox Plugin Authenticated Privilege Escalation Vulnerability

The critical security flaw could lead to privilege escalation. The issue stems from its registration widget, which creates a registration form with customizable fields when using Elementor and Beaver Builder.

The plugin allows you to set a default role whenever a user registers through the form to carry out this functionality. Even though low-level contributors (contributors, authors, editors) weren’t given the option to set the default role from the editor, they could still modify it by crafting a specific request. Furthermore, the researchers discovered no server-side protections or validation to verify whether an authorized user was setting the default user role in a request.

According to the report:

The lack of server-side validation meant that a lower-level user with access to the page/post editor like contributors, authors, and editors could create a registration form and set the user role to that of an administrator upon successful registration. Once the registration form was created, the user could simply register a new user and that user would be granted administrator privileges even while still authenticated to the WordPress instance.

Attackers could exploit this vulnerability only with user registration enabled and Elementor or Beaver Builder plugins running.

Orbit Fox Plugin Authenticated Stored Cross Site Scripting Flaw

The vulnerability could allow contributors and authors to add scripts to posts. Furthermore, the bug enabled low-level users to add malicious JavaScript to WordPress posts to be executed in the user’s browser upon visiting the specific page.

“As always with XSS vulnerabilities, this would make it possible for attackers to create new administrative users, inject malicious redirects and backdoors, or alter other site content through the use of malicious JavaScript,” Wordfence noted.

In conclusion
The two vulnerabilities have been fully patched in Orbit Fox version 2.10.3. Plugin users immediately should update to the latest version to avoid any further issues. Full technical disclosure of the issues is available in the original report.

Researched and created by:
Krum Popov
Passionate web entrepreneur, has been crafting web projects since 2007. In 2020, he founded HTH.Guide — a visionary platform dedicated to streamlining the search for the perfect web hosting solution. Read more...
Technically reviewed by:
Metodi Ivanov
Seasoned web development expert with 8+ years of experience, including specialized knowledge in hosting environments. His expertise guarantees that the content meets the highest standards in accuracy and aligns seamlessly with hosting technologies. Read more...

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HTH.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust HTH.Guide for reliable hosting insights and sincerity.