Many WordPress Sites Affected by Vulnerabilities in ‘Popup Builder’ Plugin
Multiple vulnerabilities patched recently in the popular WordPress plugin Popup Builder could be exploited to perform various malicious actions on affected websites.
With over 200,000 installations to date, “Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter” is a plugin that helps WordPress site owners create, customize, and manage promotion modal popups.
Discovered by researchers at website security company WebARX, the recently addressed issues are caused by the lack of authorization on most AJAX methods, and impact all Popup Builder versions up to 3.71.
The missing authorizations create security flaws that could be leveraged to send out newsletters with any content, for local file inclusion (but limited to first-line), to import or delete subscribers, and perform other actions as well.
The bugs, WebARX explains, exist because the AJAX methods fail to check the capability of the user, although a method to perform the check has been implemented in the plugin.
The plugin does perform the check of a nonce token, and any user – regardless of capability – who can pass the check can execute the vulnerable AJAX methods, as the nonce token is sent to all users.
WebARX’ researchers have detailed some of the vulnerable methods, but refrained from publishing information on all of them, given that a large number of methods are affected.
One of the vulnerable methods, they reveal, could be abused by an authenticated user to send out newsletters with “custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers.”
To exploit the vulnerability, a user would need to be logged in and to have access to the nonce token, the researchers say.
Some of the affected methods, they also reveal, “could cause damage to the reputation and security status of the site.”
The vulnerabilities were reported to the plugin’s developer in February 2020. An incomplete fix was pushed out in August 2020, with the release of version 3.71 of the plugin, while a proper fix was made available last week, with the release of version 3.72.