News

Popup Builder Vulnerability Threatens 200,000 WordPress Sites

WebARX researchers warn that a vulnerability in the popular WordPress plugin Popup Builder (full name: Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter) installed on more than 200,000 sites could be exploited to perform various malicious actions, including sending spam.

The Popup Builder plugin is described as a plugin that allows to create and manage powerful promotion modal popups for your WordPress blog or website.

Problems were discovered in all versions of the plugin up to Popup Builder 3.71, and have now been fixed by the developers.

Let me remind you that we talked that hackers compete for vulnerable WordPress sites.

The experts write that the root of all problems lay in the lack of authorization for most AJAX methods.

“In the end, these flaws could be exploited for sending out arbitrary newsletters, conducting local file inclusion attacks, importing or removing subscribers, and other malicious actions.”, – say WebARX researchers.

Although in the plugin was implemented a validation method, essentially the AJAX methods could not validate the user experience. For example, Popup Builder performed a nonce token validation, and any user who passed this validation could use vulnerable AJAX methods. The problem was that the nonce token was sent to all users.

Thus, in order to carry out an attack, an attacker only needed to log in and gain access to the nonce token. The Popup Builder bugs then allowed, for example, to send out newsletters with “custom email body content, email sender, and several other attributes that would essentially allow an attacker to send emails to all subscribers.”

Researched also demonstrated a method that allows to import a list of subscribers from a remote url, which is then processed as saveImportedSubscribers.

“The remote URL taken from $ _POST[‘importListURL’] can also be an absolute path to a local file, which can also be exploited by hackers and at least ruin the reputation of a site or company”, – said the experts of WebARX.

The researchers emphasize that these are the capabilities of only two of the vulnerable methods and urge everyone to update the Popup Builder as soon as possible.

Let me also remind you that we talked like hackers attacked 900,000 WordPress sites over a week.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Kabatibly.co.in pop-up ads (Virus Removal Guide)

Kabatibly.co.in is a domain that tries to force you into clik to its browser notifications…

18 hours ago

Remove Reditarcet.co.in pop-up ads (Virus Removal Guide)

Reditarcet.co.in is a site that tries to force you into subscribing to its browser notifications…

18 hours ago

Remove Everestpeak.top pop-up ads (Virus Removal Guide)

Everestpeak.top is a domain that tries to trick you into subscribing to its browser notifications…

22 hours ago

Remove Firm-jawed.yachts pop-up ads (Virus Removal Guide)

Firm-jawed.yachts is a domain that tries to trick you into subscribing to its browser notifications…

22 hours ago

Remove Anapurnatop.top pop-up ads (Virus Removal Guide)

Anapurnatop.top is a domain that tries to trick you into subscribing to its browser notifications…

23 hours ago

Remove Boomira pop-up ads (Virus Removal Guide)

Boomira.com is a domain that tries to force you into clik to its browser notifications…

23 hours ago