Two vulnerabilities have been identified in the popular WordPress plugin, Popup Builder, which is used on around 100,000 websites.
The plugin was developed by Sygnoos to help website owners create and manage popups for marketing products and services to website visitors. The plugin includes the option of incorporating JavaScript code into popups, which runs when popups are loaded.
Researchers at Defiant identified flaws that allow an unauthenticated user to gain access to the plugin and inject malicious JavaScript code into the popups that are displayed. The vulnerabilities could allow sensitive user data and system configuration data to be leaked and could potentially let unauthenticated individuals take full control of websites that have the plugin enabled.
One of the flaws, a cross-site scripting vulnerability tracked as CVE-2020-10196, concerns the use of an AJAX hook to autosave draft popups. That hook is exposed to unauthenticated users. Further, there are no capability or nonce checks, which allows a POST request to be sent to wp-admin/admin-ajax.php containing malicious JavaScript code that will run every time a popup is displayed. The vulnerability has been assigned a CVSS v3 base score of 8.3 out of 10.
“Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in,” explained the Defiant researchers.
The second vulnerability, tracked as CVE-2020-10195, allows low-level users, including subscribers, to gain access to the features of the plugin. This would allow them to export a list of website subscribers and system configuration info by sending a simple POST request to admin.post.php.
The flaws were reported to Sygnoos and both were corrected in version 3.64.1 that was released on March 11, 2020. All versions before 3.64.1 have the vulnerabilities.
Sygnoos said there have been no reported cases of exploitation, but only around 33,000 plugin users have updated to the latest version. Approximately 66,000 websites are still vulnerable.