Beaver Builder Plugin [Authenticated Persistent XSS]
Plugin Beaver Builder by default allows users with non-administrative,
edit_posts, capability to edit post content using an intuitive
frontend editor. This editor doesn’t properly check capabilities when
saving post content, thus allowing users that don’t actually have the
unfiltered_html capability to act like they do. This could allow a
as long as the editor is enabled for the specified post type (by default
only in pages is enabled).
Typically an attacker would need an account with
(at least a user with contributor role), so this vulnerability is
applicable in very specific scenarios.
- Login with a user that has at least contributor rights
- Create a new post using plugin’s editor that contains at least an HTML element with arbitrary JS code.
- Save the post (or submit for review)
There is no official solution yet.
Updating the required rights to use the editor (Settings → Page
Builder → Editing → Editing Capability) to a capability only users with
administrative rights have (like
create_users), won’t mitigate this
vulnerability because plugin doesn’t respect this setting when saving
post content, but only when displaying editor controls.
Disabling the editor for post types which user with lower access could be a workaround for this vulnerability, as the required nonce to save post content is not available when plugin frontend editor is disabled for this post.