Attackers could attack websites created with the Content Management System (CMS) WordPress if the Orbit Fox plug-in is used with certain settings. If the conditions are right, attackers could, in the worst case, take over pages as admin.

According to the plug-in website, Orbit Fox is on 400. 000 Websites actively installed. This enables website operators to equip forms with social media functions, for example.

Dangerous vulnerabilities Websites with Orbit Fox are only vulnerable when the registration form is active and the Beaver Builder or Elementor plug-ins are running. If this is the case, attackers could start with prepared queries on the form and use an actually isolated field for classifying user rights. If that works, you’ll end up as an admin, warn security researchers from Wordfence in a post.

A CVE number has not yet been assigned for the security vulnerability. The threat level is classified as ” critical “. The second vulnerability is classified as ” medium “. Here, attackers could put their own code in contributions (stored XSS).

The plug-in developers state that the gaps in the Orbit Fox Version 2. 10. 3 to have closed.

(of)