The Popup Builder WordPress plugin is affected by security flaws that could be exploited by
More than 100,000 websites are exposed to cyber attacks that could allow attackers, to steal information, and potentially take over them.
The Popup Builder plugin is developed by Sygnoos, it allows site
Popups are used by site owners to display a broad range of information, including ads, subscription requests, and discounts.
The vulnerabilities were discovered by Ram Gall, QA Engineer at WordFence. The flaws affect all versions prior to Popup Builder 3.64.1, the most severe one is an
“On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an
The problem is that the hook could be abused by unprivileged users because the function it called fails nonce checks or capability checks.
“Typically, attackers use a vulnerability like this to redirect site visitors to
The experts discovered other vulnerabilities that could allow logged-in users (even with low permissions (subscriber)) to access some plugin features, such as the export of newsletter subscribers lists and system configuration info. An attacker could exploit these flaws by sending a simple POST request to admin-post.php.
The flaw tracked CVE-2020-10195 is classified as an Authenticated Settings Modification, Configuration Disclosure, and User Data Export. The issue received a CVSS Score of 6.3 (Medium).
Since Sygnoos fixed the security issues with the release of Popup Builder version 3.64.1, over 33,000 users have updated their installs, this means that over 66,000 sites are still running vulnerable versions of the plugin.
The good news is that experts are not aware of attacks in the wild that attempt to exploit the above flaws.
Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase. Yesterday I reported the news of a critical vulnerability in WordPress plugin ‘ThemeREX Addons’ that could allow remote attackers to execute arbitrary code.
A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:
I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.