On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any logged-in user could add malicious JavaScript to any post, potentially resulting in site takeover.
Wordfence Premium users received a firewall rule protecting against these vulnerabilities on February 15, 2021. Sites still running the free version of Wordfence received the same protection 30 days later, on March 17, 2021.
Full article: https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-builder