Developers behind the “Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter” WordPress plugin have recently addressed multiple vulnerabilities that can be exploited to perform various malicious actions on affected websites.
The plugin has over 200,000 active installations to date, it allows WordPress site owners to create, customize, and manage promotion modal popups.
Experts from the security firm WebARX states that the flaw in the “Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter” plugin is caused by the lack of authorization in most AJAX methods.
“The authorization issues in the plugin are caused due to many of the AJAX methods not checking the capability of the user. A method to check the capability of the user is present in the plugin but was not used in these methods.” reads the post published by WebARX.
“A nonce token on the other hand is checked but since this nonce token is sent to all users regardless of their capabilities, any user can execute the vulnerable AJAX methods as long as they pass the nonce token.”
The lack of authorization could allow to send out newsletters with any content, for local file inclusion (but limited to first-line), to import or delete subscribers, and perform other activities.
The plugin fails to check a nonce token, and users with any capability can execute the vulnerable AJAX methods.
The experts provided information about some of the vulnerable methods but did not include details about all the affected functions.
One of the vulnerable methods allows users to import a list of subscribers from a remote URL, while another could be abused by an authenticated user to send out newsletters with “custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers.”
The flaws could be exploited by a logged-in user with access to the nonce token.
“However, it is affecting methods which in turn could cause damage to the reputation and security status of the site.” concludes the report.
Below the timeline for the flaws:
2nd December 2020 – We discovered the vulnerability and released a virtual patch to all WebARX customers.
2nd December 2020– We reported the issue to the developer of the Popup Builder plugin.
3rd December 2020 – The developer replied and started working on a fix.
8th December 2020 – The developer released version 3.71 which only added an authorization check to the AJAX method to send newsletters, not all of them.
4th of January 2021 – Asked the developer for an update regarding progress on a new fixed version.
12th of January 2021 – No response so far, asked the developer for an update again.
22nd of January 2021 – Version 3.72 was released which contains the proper fixes, the AJAX actions now have an authorization check.
28th of January 2021 – Published the article.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, WordPress)