As per similar instances with other PageBuilder plugins in recent months, a Cross-Site Scripting(CSS) vulnerability has been found on KingComposer, a WordPress PageBuilder plugin installed on over 100,000 sites.

This vulnerability has been fully patched in version 2.9.5 and so for users of this plugin, we strongly recommend updating to this version immediately.

For more information please check the official public release.

If you have questions, don’t hesitate to contact our support team.

An ongoing attack is currently being carried out exploiting vulnerable users of the plugins: Elementor Pro and Ultimate Addons for Elementor.

It is estimated that Elementor Pro is installed on over 1 million sites and that Ultimate Addons has an install base of roughly 110,000.

If you are using any of these plugins on your website, upgrade to the latest versions immediately. On May 7, 2020, the Elementor team has released Elementor Pro 2.9.4 that has been verified to patch the vulnerability.

The vulnerability in Elementor Pro is determined to be a zero day vulnerability which is exploitable if users have open registration. Meanwhile, the vulnerability in Ultimate Addons for Elementor, allows the Elementor Pro vulnerability to be exploited, even if the site does not have user registration enabled.

For more information please check the official public release.

If you have questions, don’t hesitate to contact our support team.

 On May 4, 2020, two vulnerabilities were discovered on the Page Builder by SiteOrigin plugin, a WordPress plugin actively installed on over 1,000,000 sites.

If an attacker can trick a site administrator to perform a planned action such as clicking a malicious link, this can potentially allow attackers to forge requests on behalf of that site administrator and execute malicious code in the admin’s browser. This is a critical security issue that could lead to full site takeover.

The plugin developer has since released an update with the patch for these vulnerabilities.

If you are using the Page Builder by SiteOrigin plugin, we recommend an immediate update to the latest version available. At the time of writing, that is version 2.10.16.

For more information please check the official public release.

If you have questions, don’t hesitate to contact our support team.

A vulnerability in the plugin Site Kit by Google, a WordPress plugin installed on over 400,000 sites, was discovered last month. Site Kit is the all-in-one solution to integrate a WordPress website with the critical Google tools.

The flaw enables attackers to obtain owner access for the website’s Google Search Console property.

The developers have since released an update to patch this issue, but outdated plugins (1.7.1 and older) are still at risk.

For more information please check the official public release.

If you have questions, don’t hesitate to contact our support team.

Several vulnerabilities were previously discoverd on the plugin Page Builder: PageLayer – Drag and Drop website builder, a WordPress plugin actively installed on over 200,000 websites. This marks another Page Builder plugin with vulnerabilities found in the last few months.

One flaw allows any subscriber-level and above user the ability to update/modify posts with malicious content, while another flaw allows attackers to forge malicious requests on behalf of a site’s administrator to modify the settings of the plugin. These are considered critical security issues with severe potential implications.

For websites at risk, it is recommended to run a server-side scan to monitor the filesystem for changes so that presence of any malware can be detected.

Beyond that, it is recommended to update your themes and plugins to their latest versions and ensure that your host is using the latest stable version of PHP. The latest version (1.1.4) of the Pagelayer plugin has already been patched for these issues.

For more information please check the official public release.

If you have questions, don’t hesitate to contact our support team.