Recently, a dangerous vulnerability was found in the File Manager plugin for WordPress that allows…
Problems were discovered in all versions of the plugin up to Popup Builder 3.71, and have now been fixed by the developers.
Let me remind you that we talked that hackers compete for vulnerable WordPress sites.
The experts write that the root of all problems lay in the lack of authorization for most AJAX methods.
“In the end, these flaws could be exploited for sending out arbitrary newsletters, conducting local file inclusion attacks, importing or removing subscribers, and other malicious actions.”, – say WebARX researchers.
Although in the plugin was implemented a validation method, essentially the AJAX methods could not validate the user experience. For example, Popup Builder performed a nonce token validation, and any user who passed this validation could use vulnerable AJAX methods. The problem was that the nonce token was sent to all users.
Thus, in order to carry out an attack, an attacker only needed to log in and gain access to the nonce token. The Popup Builder bugs then allowed, for example, to send out newsletters with “custom email body content, email sender, and several other attributes that would essentially allow an attacker to send emails to all subscribers.”
Researched also demonstrated a method that allows to import a list of subscribers from a remote url, which is then processed as saveImportedSubscribers.
“The remote URL taken from $ _POST[‘importListURL’] can also be an absolute path to a local file, which can also be exploited by hackers and at least ruin the reputation of a site or company”, – said the experts of WebARX.
The researchers emphasize that these are the capabilities of only two of the vulnerable methods and urge everyone to update the Popup Builder as soon as possible.
Let me also remind you that we talked like hackers attacked 900,000 WordPress sites over a week.
Kabatibly.co.in is a domain that tries to force you into clik to its browser notifications…
Reditarcet.co.in is a site that tries to force you into subscribing to its browser notifications…
Everestpeak.top is a domain that tries to trick you into subscribing to its browser notifications…
Firm-jawed.yachts is a domain that tries to trick you into subscribing to its browser notifications…
Anapurnatop.top is a domain that tries to trick you into subscribing to its browser notifications…
Boomira.com is a domain that tries to force you into clik to its browser notifications…