"Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover"

Researchers at Wordfence, have discovered two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox. Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder, and Gutenberg site-building utilities. It allows site administrators to add features such as registration forms and widgets. The plugin, from a developer called ThemeIsle, has been installed by 400,000+ sites.  The first flaw found is an authenticated privilege-escalation flaw that carries a CVSS bug-severity score of 9.9, making it critical. Authenticated attackers with contributor level access or above can elevate themselves to administrator status and potentially take over a WordPress site. The second bug found by researchers is an authenticated stored cross-site scripting (XSS) issue that allows attackers with contributor or author level access to inject JavaScript into posts. This injection could be used to redirect visitors to malvertising sites or create new administrative users, among other actions. The second bug is rated 6.4 on the CVSS scale, making it medium severity.  

Threatpost reports: "Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover"