Multiple vulnerabilities patched recently in the popular WordPress plugin Popup Builder could be exploited to perform various malicious actions on affected websites.
With over 200,000 installations to date, “Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter” is a plugin that helps WordPress site owners create, customize, and manage promotion modal popups.
Discovered by researchers at website security company WebARX, the recently addressed issues are caused by the lack of authorization on most AJAX methods, and impact all Popup Builder versions up to 3.71.
The missing authorizations create security flaws that could be leveraged to send out newsletters with any content, for local file inclusion (but limited to first-line), to import or delete subscribers, and perform other actions as well.
The bugs, WebARX explains, exist because the AJAX methods fail to check the capability of the user, although a method to perform the check has been implemented in the plugin.
The plugin does perform the check of a nonce token, and any user – regardless of capability – who can pass the check can execute the vulnerable AJAX methods, as the nonce token is sent to all users.
WebARX’ researchers have detailed some of the vulnerable methods, but refrained from publishing information on all of them, given that a large number of methods are affected.
One of the vulnerable methods, they reveal, could be abused by an authenticated user to send out newsletters with “custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers.”
To exploit the vulnerability, a user would need to be logged in and to have access to the nonce token, the researchers say.
Some of the affected methods, they also reveal, “could cause damage to the reputation and security status of the site.”
The vulnerabilities were reported to the plugin’s developer in early December 2020. An incomplete fix was pushed out a week later, with the release of version 3.71 of the plugin, while a proper fix was made available last week, with the release of version 3.72.
*updated disclosure/patching timeline
Related: Vulnerabilities in ‘Page Builder’ Plugin Expose 1 Million WordPress Websites
Related: WordPress ‘File Manager’ Plugin Patches Critical Zero-Day Exploited in Attacks
Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Site
More from Ionut Arghire
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- CISA, NSA Issue Guidance for IAM Administrators
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
- Chrome 111 Update Patches High-Severity Vulnerabilities
Latest News
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
