WordPress users should be made aware of two critical vulnerabilities found in a WordPress plug-in called Orbit Fox. One vulnerability allows for privilege escalation and remote code injection, while the second issue allows for cross-site scripting. Our recommendation is that you update the Orbit Fox plug-in to the most recent version as soon as possible.
The more severe vulnerability, which allows for privilege escalation, lets cyber criminals gain contributor level access – allowing them to potentially take over a WordPress site completely. This can be carried out through the creation of a specialised request, by adding a registration form through the Orbit Fox sign-up widget. While the plug-in on the client is protected against this, the backend server does not follow proper data sanitisation methods. This results in lower-level contributors setting their user role to admin through a malicious registration form.
Currently, Orbit Fox has over 400,000 active installations on WordPress sites, which means a large number of users could be affected by these vulnerabilities, as well as the end users of said websites. The cross-site scripting vulnerability is present in Orbit Fox versions 2.10.2 and earlier, while the severe privilege escalation vulnerability is only applicable to sites that utilise an affected version of Orbit Fox as well as either the Elementor or Beaver Builder plugins and have user registration enabled.
If you use an affected version of Orbit Fox, we urge you to update the plug-in asap.