Security researchers have discovered two vulnerabilities present in a WordPress plugin called Orbit Fox. One vulnerability is rated 9.9 on the CVSS scale and allows for privilege escalation and remote code injection; The second is rated 6.4 on the CVSS scale and allows for cross-site scripting. SKOUT recommends updating the Orbit Fox plugin to the patched version as soon as possible. At the time of this threat advisory publishing, there are no CVE’s for these vulnerabilities.
Technical Detail & Additional Information
WHAT IS THE THREAT?
WHY IS IT NOTEWORTHY?
WHAT IS THE EXPOSURE OR RISK?
The cross-site scripting vulnerability with a CVSS score of 6.4 is present in Orbit Fox versions 2.10.2 and earlier. However, the severe privilege escalation vulnerability is only applicable to sites that utilize an affected version of Orbit Fox as well as either the Elementor or Beaver Builder plugins and have user registration enabled. Sites that do not use either the Elementor or Beaver Builder plugin or have user registration disabled are not vulnerable to the privilege escalation vulnerability.
WHAT ARE THE RECOMMENDATIONS?
The current recommendations for these vulnerabilities are listed below:
- Update the Orbit Fox plugin to version 2.10.3 or later.
- If the site utilizes the Elementor or Beaver Builder plugin and has user registration enabled, disable user registration until Orbit Fox has been updated to version 2.10.3 or later.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.