This second vulnerability is more interesting from a hacker’s point of view than the previous one because, when saving the post, the payload sent by Visual Composer is heavily obfuscated and thus will bypass web application firewalls and security plugins.
#Wordpress visual composer download code#
When contributor users save their post, it is saved as a “draft” because they don’t have permission to publish posts, but the JS code is immediately injected and executed, here again, globally into every page and post in the backend and frontend of the website: This applies to all users who can access the editor, including contributors and authors (unlike the default WordPress editor which, for security reasons, only allows admin and editor users to insert JS code into their posts): When users edit a post, they can insert JavaScript code locally or globally too. 'layout' => 'settings-standalone-with-tabs',Ī contributor user can access the tab and inject JavaScript code globally into every page and post of the website, both in the backend and frontend: 'title' => _('CSS, HTML & JavaScript', 'visualcomposer'), When calling addSubmenuPage to setup the tab, the addPage method in “visualcomposer/visualcomposer/Modules/Settings/Pages/CssJsSettings.php” doesn’t pass a capability: protected function addPage()
If there’s none, it will restrict the access by default to users who can edit posts, a capability available to low-privileged users such as contributors. It expects an optional user capability as an argument. This tab, as well as the third one, “Sytem Status”, are loaded by calling the addSubmenuPage method from the “visualcomposer/visualcomposer/Modules/Settings/Traits/SubMenu.php” script: protected function addSubmenuPage($page, $parentSlug = 'vcv-settings') Among the three available tabs, “CSS, HTML & JavaScript”, which is accessible at “/wp-admin/admin.php?page=vcv-global-css-js”, allows to inject CSS, JavaScript or HTML code into every page’s header and/or footer: The administrator can configure the plugin from its “Settings” page in the backend. The WordPress Visual Composer plugin (80,000+ active installations) fixed multiple authenticated stored XSS vulnerabilities.Īffected versions are 25.0 and below and, to some extend, version 26.0 (see Timeline below for more details).