Security Experts:

Connect with us

Hi, what are you looking for?



Many WordPress Sites Affected by Vulnerabilities in ‘Popup Builder’ Plugin

Multiple vulnerabilities patched recently in the popular WordPress plugin Popup Builder could be exploited to perform various malicious actions on affected websites.

Multiple vulnerabilities patched recently in the popular WordPress plugin Popup Builder could be exploited to perform various malicious actions on affected websites.

With over 200,000 installations to date, “Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter” is a plugin that helps WordPress site owners create, customize, and manage promotion modal popups.

Discovered by researchers at website security company WebARX, the recently addressed issues are caused by the lack of authorization on most AJAX methods, and impact all Popup Builder versions up to 3.71.

The missing authorizations create security flaws that could be leveraged to send out newsletters with any content, for local file inclusion (but limited to first-line), to import or delete subscribers, and perform other actions as well.

The bugs, WebARX explains, exist because the AJAX methods fail to check the capability of the user, although a method to perform the check has been implemented in the plugin.

The plugin does perform the check of a nonce token, and any user – regardless of capability – who can pass the check can execute the vulnerable AJAX methods, as the nonce token is sent to all users.

WebARX’ researchers have detailed some of the vulnerable methods, but refrained from publishing information on all of them, given that a large number of methods are affected.

One of the vulnerable methods, they reveal, could be abused by an authenticated user to send out newsletters with “custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers.”

To exploit the vulnerability, a user would need to be logged in and to have access to the nonce token, the researchers say.

Some of the affected methods, they also reveal, “could cause damage to the reputation and security status of the site.”

The vulnerabilities were reported to the plugin’s developer in early December 2020. An incomplete fix was pushed out a week later, with the release of version 3.71 of the plugin, while a proper fix was made available last week, with the release of version 3.72.

*updated disclosure/patching timeline

Related: Vulnerabilities in ‘Page Builder’ Plugin Expose 1 Million WordPress Websites

Related: WordPress ‘File Manager’ Plugin Patches Critical Zero-Day Exploited in Attacks

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Site

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet