Gall disclosed these issues to the plugin’s author, who responded within a few hours. He added that the flaws have been patched in version 3.64.1 and recommended users to update to the latest version available immediately.
“While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover,” he wrote.
This is an example of the importance of enterprise security programmes, where organisations understand their information assets and have an up-to-date asset management Inventory, said Niamh Muldoon, senior director of Trust & Security at OneLogin.
“By having these, organisations can prioritise applying patches when “day-zero” types of vulnerabilities and/or bugs like this are announced. The prioritisation of applying patches varies from organisation to organisation, but should fundamentally be based on risk assessment criteria of the services offered by the exposed website, e.g. payments, authentication credentials and PII data,” she told SC Media UK.
“Security automation is hugely beneficial to delivering quick responses to reduce risk exposure. Multi-factor authentication (MFA) plays a role in reducing the risk of this vulnerability being exploited, exposing critical data. However, that is dependent on the second and third factor types, i.e. token type and how they have been implemented/configured with the WordPress Site.”
WordPress plugins are written by different companies hooking into the same platform, and this causes the regular occurrences of severe vulnerabilities, observed Keith Geraghty, solution architect at edgescan.
“Given the typical wide range of quality in relation to secure application development across development houses, this gives rise to multiple organisations all developing insecure code for the same platform. WordPress historically has a high-risk density and we see a stream of breaches happening every month that relate to different plugins. It's the platform that keeps giving (high risk issues),” he told SC Media UK.
Users need to be using WP-scan combined with good vulnerability management on a continuous basis to ensure their various WordPress components are up to date, he said.
“WP-scan is an open-source program, so there is no excuse for not doing the bare minimum.”