Two vulnerabilities – including a high-severity flaw – have been patched in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup – potentially opening up more than 100,000 websites to takeover.
Popup Builder helps users create and manage popups – such as marketing or promotional notices – for their websites. This week, software development company Sygnoos, the owner of Popup Builder, issued a patch addressing several vulnerabilities in the plugin.
“These flaws have been patched in version 3.64.1 and we recommend that users update to the latest version available immediately,” according to researchers with Wordfence, on Thursday. “While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover.”
The more severe vulnerability (CVE-2020-10196) stems from a stored cross-site scripting (XSS) flaw in an AJAX hook used by the WordPress plugin. In WordPress plugin development, developers have the ability to register AJAX hooks, which allows them to call functions directly. However, in this specific plugin, the AJAX hook was available to unprivileged users, and it lacked nonce checks or capability checks for the functions called.
“This meant that an unauthenticated attacker could send a POST request to wp-admin/admin-ajax.php with an array parameter, ‘allPopupData’, containing a number of key-value pairs, including a popup’s ID (visible in the page source) and a malicious JavaScript payload, which would then be saved in that popup’s settings and executed whenever a visitor navigated to a page where the popup was displayed,” said researchers.
While attackers typically use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, researchers say that the flaw could also be exploited for site takeover if an administrator visited or previewed a page containing the infected popup while logged in.
The bug ranks 8.3 out of 10.0 on the CVSS severity scale. Version 3.63 of the plugin is affected; researchers urge users to update to version 3.64.1.
Popup Builder also has another medium-severity vulnerability (CVE-2020-10195) that could be exploited by subscribers (users who are logged in, but with minimal permissions). Researchers said, by sending a request ($_POST ) to admin-post.php (with the ‘action’ parameter set to ‘sgpbSaveSettings’ and the ‘sgpb-user-roles[]’ parameter set to ‘subscriber’), an attacker could grant all subscriber-level users a number of permissions related to the plugin’s functionality.
“In addition to granting access to create and manage categories and newsletters, this would allow an attacker to make use of other AJAX functions that were protected by nonces, but not by capability checks, since usable nonces were displayed on these pages,” said researchers. “Alternatively, a $_POST request could be sent to admin-post.php with the ‘action’ parameter set to ‘csv_file’, making it possible to export a list of newsletter subscribers. As a result, an attacker could gain access to sensitive newsletter subscriber information and use this during a social engineering attack against those subscribers.”
Earlier this week, a critical vulnerability was found in a WordPress plugin known as “ThemeREX Addons” that could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day. And earlier this month, researchers warned that active exploits were targeting a recently patched flaw in the popular WordPress plugin Duplicator, which has more than 1 million active installations. So far, researchers have seen 60,000 attempts to harvest sensitive information from victims.
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.