Pierluigi Paganini March 13, 2020

Flaws in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups of 100K+ websites.

The Popup Builder WordPress plugin is affected by security flaws that could be exploited by unauthenticated attackers to inject malicious JavaScript code into popups displayed on websites using it.

More than 100,000 websites are exposed to cyber attacks that could allow attackers, to steal information, and potentially take over them.

The Popup Builder plugin is developed by Sygnoos, it allows site admins to easily create, deploy, and manage customizable popups that could contain different content, including HTML and JavaScript code, images, and videos.

Popups are used by site owners to display a broad range of information, including ads, subscription requests, and discounts.

The vulnerabilities were discovered by Ram Gall, QA Engineer at WordFence. The flaws affect all versions prior to Popup Builder 3.64.1, the most severe one is an unauthenticated Stored Cross-Site Scripting (XSS) tracked as CVE-2020-10196 that received a CVSS Score of 8.3 (High).

“On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded.” reads the post published by WordFence. “The other vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of all newsletter subscribers, export system configuration information, and grant themselves access to various features of the plugin.”

Experts discovered that the Popup Builder plugin allows to create and run popups containing custom Javascript, to do this the plugin registered an AJAX hook, wp_ajax_nopriv_sgpb_autosave, used to allow auto-saving of draft popups.

The problem is that the hook could be abused by unprivileged users because the function it called fails nonce checks or capability checks.

An unauthenticated attacker could send a POST request to -admin/admin- with an array parameter, ‘allPopupData’, that contains key-value pairs including a popup’s ID (visible in the page source) and a malicious JavaScript payload. Then the malicious payload is in that popup’s settings and executed whenever the page where the popup was displayed is visited.

“Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in.” continues the post.

The experts discovered other vulnerabilities that could allow logged-in users (even with low permissions (subscriber)) to access some plugin features, such as the export of newsletter subscribers lists and system configuration info. An attacker could exploit these flaws by sending a simple POST request to admin-post.php.

The flaw tracked CVE-2020-10195 is classified as an Authenticated Settings Modification, Configuration Disclosure, and User Data Export. The issue received a CVSS Score of 6.3 (Medium).

Since Sygnoos fixed the security issues with the release of Popup Builder version 3.64.1, over 33,000 users have updated their installs, this means that over 66,000 sites are still running vulnerable versions of the plugin.

The good news is that experts are not aware of attacks in the wild that attempt to exploit the above flaws.

Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase. Yesterday I reported the news of a critical vulnerability in WordPress plugin ‘ThemeREX Addons’ that could allow remote attackers to execute arbitrary code.

A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:

• Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
• Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
• Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
• Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
• Feb. 2020 – A zero-day vulnerability in the ThemeREX Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

Pierluigi Paganini

(SecurityAffairs – hacking, PoPup Builder)

[adrotate banner=”5″]

[adrotate banner=”13″]