Two vulnerabilities have been identified in the popular WordPress plugin, Popup Builder, which is used on around 100,000 websites.
“Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in,” explained the Defiant researchers.
The second vulnerability, tracked as CVE-2020-10195, allows low-level users, including subscribers, to gain access to the features of the plugin. This would allow them to export a list of website subscribers and system configuration info by sending a simple POST request to admin.post.php.
The flaws were reported to Sygnoos and both were corrected in version 3.64.1 that was released on March 11, 2020. All versions before 3.64.1 have the vulnerabilities.
Sygnoos said there have been no reported cases of exploitation, but only around 33,000 plugin users have updated to the latest version. Approximately 66,000 websites are still vulnerable.