Themify Builder <= 7.6.2 - Reflected Cross-Site Scripting

Vulnerability

The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to and including 7.6.2. This occurs due to the use of add_query_arg without proper escaping on URLs, allowing injection of arbitrary web scripts. The vulnerability is present in the plugin's handling of query parameters [1].

Exploitation

An unauthenticated attacker can exploit this by crafting a malicious link that, when clicked by a user, executes arbitrary JavaScript in the context of the victim's browser. No authentication or privileged access is required. The attacker simply needs to trick the user into clicking the link, for example via social engineering or by embedding it in a comment or post.

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the victim's browser, leading to potential session hijacking, credential theft, defacement, or other malicious actions limited only by the script's capabilities. The attack does not require any prior compromise of the site.

Mitigation

The Themify Builder plugin has been updated to version 7.7.3, which addresses this vulnerability. Users are strongly advised to update to the latest version (7.7.3) immediately [1]. If updating is not possible, no workaround is available, and sites should be monitored for suspicious activity.