Flawed WordPress popup plugin allows attackers to inject malicious code

(Image credit: Pixabay)

Vulnerabilities have been discovered in a popular WordPress plugin called Popup Builder which could allow unauthenticated attackers to inject malicious JavaScript code into popups in order to steal information and even potentially take full control over targeted sites.

The plugin gives site owners the ability to create, deploy and manage customizable popups using a range of different content from HTML and JavaScript code to images and videos. Sygnoos, the developer of Popup Builder, says that businesses can utilize it to increase their sales and revenue through its smart popups that can be used to display ads, subscription requests, discounts and other promotional content.

The security flaws in the plugin, which affect all versions of Popup Builder up to version 3.63, were first discovered by Ram Gall who works as a QA engineer at Defiant. Gall provided further details on how an attacker would use the vulnerabilities he found in the plugin in a blog post, saying:

“Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in.”

One of the vulnerabilities Gall discovered in the Popup Builder plugin allows an unauthenticated attacker to inject malicious JavaScript code into any published popup and the code would then be executed whenever it is loaded.

The other vulnerability makes it possible for any user that is logged in (with permissions as low as a subscriber) to gain access to plugin features to export subscriber lists and system configuration info using a simple POST request to admin-post.php.

The security flaws, tracked as CVE-2020-10196 and CVE-2020-10195, have both been fixed by Sygnoos with the release of Popup Builder version 3.65.1, after Gall disclosed the bugs to the company.

However, only 33,000 users of the plugin's 100,000+ users have updated to the latest version which means that over 66,000 sites with previous versions of Popup Builder are still vulnerable and could be targeted by hackers.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.