More than 100,000 sites are endangered due to problems in Popup Builder, a popular WordPress plugin, report Defiant experts.
This plugin allows website owners to create custom pop-ups containing a wide variety of content: from HTML and JavaScript code to images and videos. However, news about vulnerabilities in the popular WordPress plugins appear less frequently than news about the exploitation of the coronavirus theme by cybercriminals.The most important bug found in Popup Builder was CVE-2020-10196, it scored 8.3 points on the CVSS vulnerability rating scale. This problem presents a stored XSS and allows unauthenticated cybercriminals to inject malicious JavaScript code into any pop-ups on vulnerable resources, steal information and probably completely capture target sites. All versions of Popup Builder up to 3.64.1 are affected by this vulnerability.
Typically, attackers use such vulnerabilities to redirect visitors to sites with malicious advertising or steal confidential information from browsers, but the vulnerability can also be used to hijack a site if a logged in administrator has visited or previewed a page containing an infected pop-up,” write the experts.
Another unpleasant error in the plug-in (CVE-2020-10195) allowed any user, who logged on (with the rights of a simple subscriber) to access the plug-in functions, export mailing list subscribers, and also export system configuration information using a regular POST request to admin-post.php.
Defiant experts privately reported about these problems to the author of the plugin, which responded within a few hours. They worked together for a week to ensure that the vulnerabilities were fully fixed.
These flaws have been patched in version 3.64.1 and we recommend that users update to the latest version available immediately. While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover. Sites running Wordfence Premium have been protected from attacks against these vulnerabilities since March 5, 2020. Sites running the free version of Wordfence will receive the same firewall rule update on April 4, 2020.”, — write Defiant specialists
Researchers note that so far only about 33,000 users have updated the plug-in, that is, over 66,000 sites with outdated versions of the plug-in are still vulnerable.
