Some bugs recently found and fixed in the Popup Builder plugin have potentially affected more than 100,000 WordPress websites.
Security researchers at WordPress security firm Defiant warn that Popup Builder is affected by vulnerabilities before version 3.64.1 that could enable attackers to insert malicious code without authentication, or leak user and device configuration details.
A high-severity stored cross-site scripting (XSS) bug monitored as CVE-2020-10196 with a CVSS score of 8.3 is the most critical vulnerability.
The plugin registered an AJAX hook designed to enable auto-saving of draft popups, but it was found that the hook was exposed to unprivileged users. Also, the hook-call feature did not include nonce checks or functionality checks.
While such vulnerabilities are usually exploited to redirect users to malvertising sites or for information theft if the infected popup was shown to a logged-in administrator, the problem could also be leveraged for site takeover, Defiant says.
Another issue addressed in this week’s update is CVE-2020-10195 (CVSS score 6.3), which might allow a low-privileged authenticated user to export a list of all newsletter subscribers and device configuration information, or even grant access to plugin features themselves.
The vulnerabilities were announced to the plugin creator on March 5, with a complete patched version of Popup Builder released on March 11 (version 3.64.1).
According to wordfence,
Description: Unauthenticated Stored Cross-Site Scripting (XSS)
Affected Plugin: Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
Plugin Slug: popup-builder
Affected Versions: <= 3.63
CVE ID: CVE-2020-10196
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 3.64.1
“While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover,” Defiant underlines.