WordPress plugins extend the capabilities of websites. For many reasons, plugins help make WordPress become one of the most popular CMS in the world.
Also for this particular reason, WordPress-powered websites have long been the target of hacks due to their wide attack surface.
Hackers are experimenting and crafting many campaigns to compromise those websites, all for their own benefit.
Popup Builder is one of popular WordPress plugin, allowing site owners to give their site the ability to create, deploy and manage customizeable popups using different content, ranging from HTML to JavaScript, to images and videos.
Sygnoos, the developer of the plugin, said that businesses can utilize it to increase their sales and revenue through its "smart popups that can be used to display ads, subscription requests, discounts and other promotional content."
That however, comes with huge security risks, as discovered by Ram Gall who works as a QA engineer at Defiant.
in a blog post, Gall said that:
There were two vulnerabilities:
The first allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup is loaded.
The second vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of all newsletter subscribers, export system configuration information, and grant themselves access to various features of the plugin.
The security flaws in the plugin affect all versions of Popup Builder up to version 3.63.
The security flaws, tracked as CVE-2020-10195 and CVE-2020-10196, have both been fixed by Sygnoos with the release of Popup Builder version 3.65.1.
That after Gall disclosed the vulnerabilities to WordPress.
The plugin has more than 100,000 users. However, only 33,000 users of the plugin's users have updated to the version 3.65.1, meaning that over 66,000 sites with previous versions of Popup Builder are still vulnerable and could be targeted by hackers.
"We recommend that users update to the latest version available immediately," said Gall.
"While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover."