Popup Builder Vulnerability Threatens 200,000 WordPress Sites

WebARX researchers warn that a vulnerability in the popular WordPress plugin Popup Builder (full name: Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter) installed on more than 200,000 sites could be exploited to perform various malicious actions, including sending spam.

The Popup Builder plugin is described as a plugin that allows to create and manage powerful promotion modal popups for your WordPress blog or website.

Problems were discovered in all versions of the plugin up to Popup Builder 3.71, and have now been fixed by the developers.

Let me remind you that we talked that hackers compete for vulnerable WordPress sites.

The experts write that the root of all problems lay in the lack of authorization for most AJAX methods.

“In the end, these flaws could be exploited for sending out arbitrary newsletters, conducting local file inclusion attacks, importing or removing subscribers, and other malicious actions.”, – say WebARX researchers.

Although in the plugin was implemented a validation method, essentially the AJAX methods could not validate the user experience. For example, Popup Builder performed a nonce token validation, and any user who passed this validation could use vulnerable AJAX methods. The problem was that the nonce token was sent to all users.

Thus, in order to carry out an attack, an attacker only needed to log in and gain access to the nonce token. The Popup Builder bugs then allowed, for example, to send out newsletters with “custom email body content, email sender, and several other attributes that would essentially allow an attacker to send emails to all subscribers.”

Researched also demonstrated a method that allows to import a list of subscribers from a remote url, which is then processed as saveImportedSubscribers.

“The remote URL taken from $ _POST[‘importListURL’] can also be an absolute path to a local file, which can also be exploited by hackers and at least ruin the reputation of a site or company”, – said the experts of WebARX.

The researchers emphasize that these are the capabilities of only two of the vulnerable methods and urge everyone to update the Popup Builder as soon as possible.

Let me also remind you that we talked like hackers attacked 900,000 WordPress sites over a week.