WordPress plugin vulnerability enables hackers inject malicious code

News by Rene Millman

WordPress plugin for creating and deploying popups contains flaws that allow hackers to inject malicious JavaScript code into such popups

A WordPress plugin that enables websites to create and deploy popups has been discovered to contain flaws that allows hackers to inject malicious JavaScript code into such popups. The bugs, which affect all versions up to and including Popup Builder 3.63, lets attackers steal information and take over websites, said a blog post by Defiant QA engineer Ram Gall. 

One vulnerability allowed an unauthenticated attacker inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. The other vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of all newsletter subscribers, export system configuration information, and grant themselves access to various features of the plugin,” he said.

Gall disclosed these issues to the plugin’s author, who responded within a few hours. He added that the flaws have been patched in version 3.64.1 and recommended users to update to the latest version available immediately.

While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover,” he wrote.

This is an example of the importance of enterprise security programmes, where organisations understand their information assets and have an up-to-date asset management Inventory, said Niamh Muldoon, senior director of Trust & Security at OneLogin.

By having these, organisations can prioritise applying patches when “day-zero” types of vulnerabilities and/or bugs like this are announced. The prioritisation of applying patches varies from organisation to organisation, but should fundamentally be based on risk assessment criteria of the services offered by the exposed website, e.g. payments, authentication credentials and PII data,” she told SC Media UK.

Security automation is hugely beneficial to delivering quick responses to reduce risk exposure. Multi-factor authentication (MFA) plays a role in reducing the risk of this vulnerability being exploited, exposing critical data. However, that is dependent on the second and third factor types, i.e. token type and how they have been implemented/configured with the WordPress Site.”

WordPress plugins are written by different companies hooking into the same platform, and this causes the regular occurrences of severe vulnerabilities, observed Keith Geraghty, solution architect at edgescan.

Given the typical wide range of quality in relation to secure application development across development houses, this gives rise to multiple organisations all developing insecure code for the same platform. WordPress historically has a high-risk density and we see a stream of breaches happening every month that relate to different plugins. It's the platform that keeps giving (high risk issues),” he told SC Media UK.

Users need to be using WP-scan combined with good vulnerability management on a continuous basis to ensure their various WordPress components are up to date, he said.

WP-scan is an open-source program, so there is no excuse for not doing the bare minimum.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews