WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites

Vulnerabilities in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on tens of thousands of websites, to steal information, and to potentially fully take over targeted sites.

Popup Builder enables site owners to create, deploy, and manage customizable popups containing a wide range of content from HTML and JavaScript code to images and videos.

Sygnoos, the plugin’s developer, markets it as a tool that can help increase sales and revenue via smart pop-ups used to display ads, subscription requests, discounts, and various other types of promotional content.

Unauthenticated XSS and information disclosure flaws

The security flaws discovered by Defiant QA Engineer Ram Gall affect all versions up to and including Popup Builder 3.63.

“One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded,” Gall said.

“Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in.”

The other bug made it possible for any logged-in user (with permissions as low as a subscriber) to gain access to plugin features, to export newsletter subscribers lists, as well as to export system configuration info with a simple POST request to admin-post.php.

No nonce and permission checks in vulnerable code
No nonce and permission checks in vulnerable code (Defiant)

Vulnerabilities patched, tens of thousands still exposed

The flaws tracked as CVE-2020-10196 and CVE-2020-10195 allow for unauthenticated stored XSS, configuration disclosure, user data export, and website settings modification.

Sygnoos fixed the security issues with the release of Popup Builder version 3.64.1, one week after Defiant reported the bugs.

Since the fixed Popup Builder release was published, just over 33,000 users have updated the plugin, which still leaves over 66,000 sites with active installation exposed to attacks.

“While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover,” Gall added.

Since late February, hackers are actively trying to take over WordPress sites by exploiting plugin vulnerabilities allowing them to plant backdoors and to create rogue administrator​​​ accounts, with hundreds of thousands of website sites being exposed to attacks.


Next Post

European Mars rover delayed until 2022 | Science

Fri Mar 13 , 2020
Europe’s Rosalind Franklin rover can drill 2 meters into the surface of Mars. ESA/ATG medialab By Daniel CleryMar. 12, 2020 , 10:25 AM Multiple technical issues will delay the launch of the ExoMars mission for 2 years until 2022, the European Space Agency (ESA) and its Russian counterpart, Roscosmos, announced today. […]