Popup Builder Plugin Flaws impacted 100000 WordPress Sites (Patched)


Some bugs recently found and fixed in the Popup Builder plugin have potentially affected more than 100,000 WordPress websites.

Crafted to help develop and maintain promotional modal popups for blogs and websites in WordPress, Popup Creator also provides the ability to run custom JavaScript code while loading the popup.

Security researchers at WordPress security firm Defiant warn that Popup Builder is affected by vulnerabilities before version 3.64.1 that could enable attackers to insert malicious code without authentication, or leak user and device configuration details.

A high-severity stored cross-site scripting (XSS) bug monitored as CVE-2020-10196 with a CVSS score of 8.3 is the most critical vulnerability.

An unauthenticated attacker may exploit the security flaw to inject malicious JavaScript code into any popup and thus make it run when the popup is loaded.

The plugin registered an AJAX hook designed to enable auto-saving of draft popups, but it was found that the hook was exposed to unprivileged users. Also, the hook-call feature did not include nonce checks or functionality checks.

Because of that, an attacker could send a POST request with a malicious JavaScript payload to wp-admin / admin-ajax.php, which would result in the payload being saved to the popup settings and executed whenever the popup appears on a website.

While such vulnerabilities are usually exploited to redirect users to malvertising sites or for information theft if the infected popup was shown to a logged-in administrator, the problem could also be leveraged for site takeover, Defiant says.

Another issue addressed in this week’s update is CVE-2020-10195 (CVSS score 6.3), which might allow a low-privileged authenticated user to export a list of all newsletter subscribers and device configuration information, or even grant access to plugin features themselves.

The vulnerabilities were announced to the plugin creator on March 5, with a complete patched version of Popup Builder released on March 11 (version 3.64.1).

According to wordfence,

Description: Unauthenticated Stored Cross-Site Scripting (XSS)
Affected Plugin: Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
Plugin Slug: popup-builder
Affected Versions: <= 3.63
CVE ID: CVE-2020-10196
CVSS Score: 8.3 (High)
Fully Patched Version: 3.64.1

“While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover,” Defiant underlines.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.