Beaver Builder Plugin [Authenticated Persistent XSS]

Description

Plugin Beaver Builder by default allows users with non-administrative, but with edit_posts, capability to edit post content using an intuitive frontend editor. This editor doesn’t properly check capabilities when saving post content, thus allowing users that don’t actually have the unfiltered_html capability to act like they do. This could allow a malicious user to create a post that includes arbitrary Javascript code, as long as the editor is enabled for the specified post type (by default only in pages is enabled).

Typically an attacker would need an account with edit_posts capability (at least a user with contributor role), so this vulnerability is applicable in very specific scenarios.

PoC

  1. Login with a user that has at least contributor rights
  2. Create a new post using plugin’s editor that contains at least an HTML element with arbitrary JS code.
  3. Save the post (or submit for review)
  4. Javascript code is stored and will be executed whenever a user visits this post

Solution

There is no official solution yet.

Updating the required rights to use the editor (Settings → Page Builder → Editing → Editing Capability) to a capability only users with administrative rights have (like create_users), won’t mitigate this vulnerability because plugin doesn’t respect this setting when saving post content, but only when displaying editor controls.

Disabling the editor for post types which user with lower access could be a workaround for this vulnerability, as the required nonce to save post content is not available when plugin frontend editor is disabled for this post.

WordPress Plugins Authenticated Persistent XSS XSS
INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX