March 12

Vulnerabilities Patched within Popup Builder Plugin Affecting more than 100,000 Sites

WordPress Vulnerabilities


This post was originally published on this site

On March 4th, our Threat Cleverness team discovered many vulnerabilities in Popup Builder, the WordPress plugin installed on more than 100,000 websites. One vulnerability permitted an unauthenticated attacker to inject malicious JavaScript into any released popup, which would after that end up being executed whenever the popup loaded. Another vulnerability permitted any logged-in user, even people that have minimal permissions like a subscriber, to export a listing of all newsletter clients, export system configuration details, and grant themselves usage of various top features of the plugin.

We privately disclosed these problems in order to the plugin’s writer, who responded inside a few hrs. We caused the developer during the period of a week to guarantee the vulnerabilities were completely patched.

We recommend updating to the most recent edition, 3.64.1, immediately. Wordfence High quality customers received a fresh firewall principle on March 5, 2020 to safeguard against exploits targeting these vulnerabilities. Free Wordfence customers will have the rule after four weeks, on April 4, 2020.

Explanation: Unauthenticated Stored Cross-Web site Scripting (XSS)
Affected Plugin:  Popup Builder – Responsive WordPress Pop-up – Membership & Newsletter
Plugin Slug: popup-builder
Affected Versions: <= 3.63
CVE ID: CVE-2020-10196
CVSS Score: 8.3 (Higher)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/The:L
Fully Patched Version: 3.64.1

The Popup Builder plugin allows the creation of varied popups on a WordPress site, which include the opportunity to run custom Javascript whenever a popup is loaded. It authorized an AJAX hook, wp_ajax_nopriv_sgpb_autosave, designed to allow auto-conserving of draft popups.

add_activity('wp_ajax_nopriv_sgpb_autosave', array($this, 'sgpbAutosave'));

Unfortunately, this hook had been available to unprivileged customers, and the event it called lacked nonce checks or even ability checks. This meant an unauthenticated attacker could deliver a Write-up request to wp-admin/admin-ajax.php having an array parameter, ‘allPopupData’, containing numerous key-worth pairs which includes a popup’s ID (visible in the page supply) and a malicious JavaScript payload, which may then be saved for the reason that popup’s configurations and executed every time a website visitor navigated to a full page where the popup has been displayed.

	public functionality sgpbAutosave()
		$popupId = @(int)$_POST['write-up_ID'];
		$postStatus = get_post_standing($popupId);
		if ($postStatus == 'publish') 
			echo '';

		if (!isset($_POST['allPopupData'])) 
			echo true;
		$popupData = SGPopup::parsePopupDataFromData($_POST['allPopupData']);
		$popupType = $popupData['sgpb-type'];
		$popupClassName = SGPopup::getPopupClassNameFormType($popupType);
		$popupClassPath = SGPopup::getPopupTypeClassPath($popupType);
		if (document_is present($popupClassPath.$popupClassName.'.php')) 
			require_as soon as($popupClassPath.$popupClassName.'.php');
			$popupClassName = __NAMESPACE__.''.$popupClassName;
			$popupClassName::generate($popupData, '_preview', 1);


Note having less nonce and authorization checks within this function. The event does try to prevent adjustments being preserved to any popup in ‘publish’ status. Nevertheless, if no ‘publish_ID’ parameter comes, this check will undoubtedly be bypassed and the blog post id provided in the ‘allPopupData’ parameter will undoubtedly be updated instead.

Typically, attackers work with a vulnerability such as this to redirect website visitors to malvertising sites or steal sensitive information from their browsers, even though it could also be utilized for site takeover if an administrator visited or previewed a full page containing the infected popup while logged within.

Explanation: Authenticated Configurations Modification, Construction Disclosure, and User Information Export
Affected Plugin:  Popup Builder – Responsive WordPress Pop-up – Membership & Newsletter
Plugin Slug: popup-builder
Affected Versions: <= 3.63
CVE ID: CVE-2020-10195
CVSS Score: 6.3 (Medium)
CVSS Vector:  CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/The:L
Fully Patched Version: 3.64.1

In add-on to a stored XSS vulnerability, Popup Builder furthermore had a couple of vulnerabilities that may be exploited by logged-in customers with minimal permissions, such as for example subscribers. The vulnerable activities included:

add_motion('admin_post_csv_document', array($this, 'getSubscribersCsvFile'));
add_actions('admin_post_sgpb_system_information', array($this, 'getSystemInfoFile'));
add_activity('admin_posting_sgpbSaveSettings', array($this, 'saveSettings'), 10, 1);

By sending the $_POST demand to admin-article.php with the ‘motion’ parameter arranged to ‘sgpbSaveSettings’ and the ‘sgpb-user-functions[]’ parameter established to ‘subscriber’, an attacker could grant all subscriber-level customers (including themselves) several permissions linked to the plugin’s efficiency. Along with granting usage of create and manage classes and newsletters, this might enable an attacker to utilize other AJAX features that had been safeguarded by nonces, however, not by capacity checks, since usable nonces had been displayed on these web pages.

The vulnerable function code:

	public perform saveSettings()
		$postData = $_POST;
		$deleteData = 0;

		if (isset($postData['sgpb-dont-delete-data'])) 
			$deleteData = 1;
		$userRoles = @$postData['sgpb-user-roles'];

		update_option('sgpb-user-functions', $userRoles);
		update_option('sgpb-dont-delete-information', $deleteData);

		wp_redirect(admin_url().'edit.php?post_kind='.SG_POPUP_POST_TYPE.'&web page='.SG_POPUP_SETTINGS_Web page);

Additionally, a $_POST request could possibly be delivered to admin-post.php with the ‘actions’ parameter fixed to ‘csv_document’, to be able to export a listing of newsletter subscribers. Because of this, an attacker could access sensitive newsletter subscriber info and use this throughout a social engineering strike against those clients.

The vulnerable function code:

	public functionality getSubscribersCsvFile()
		global $wpdb;
		$query = AdminHelper::subscribersRelatedQuery();
		if (isset($_Obtain['orderby']) && !empty($_GET['orderby'])) 
			if (isset($_GET['purchase']) && !empty($_Obtain['order'])) 
				$query .= ' Purchase BY '.esc_sql($_Obtain['orderby']).' '.esc_sql($_Obtain['order']);
		$content = '';
		$exportTypeQuery = '';
		$rows = array('first title', 'last name', 'email', 'time', 'popup');
		foreach ($rows as $worth) 
			$content .= $value;
			if ($value != 'popup') 
				$content .= ',';
		$content .= "n";
		$subscribers = $wpdb->obtain_results($query, ARRAY_The);

		$clients = apply_filters('sgpbSubscribersCsv', $clients);

		foreach($subscribers as $ideals) 
			foreach ($values as $crucial => $value) 
				$content .= $value;
				if ($key != 'subscriptionTitle') 
					$content .= ',';
			$content .= "n";

		$content material = apply_filters('sgpbSubscribersContent', $articles);

		header('Pragma: public');
		header('Expires: 0');
		header('Cache-Manage: must-revalidate, post-examine=0, pre-check=0');
		header('Cache-Control: private', fake);
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename=subscribersList.csv;');
		header('Content-Transfer-Encoding: binary');
		echo $content;

Moreover, the ‘activity’ parameter could possibly be transformed to ‘sgpb_system_details’ and reveal possibly sensitive system configuration details, including all set up plugins and their activation position. This data could possibly be utilized by an attacker to craft a far more sophisticated assault against a target web site. If another vulnerable plugin had been installed on the website, an attacker could discover this and try to escalate their strike by exploiting it.

The vulnerable function code:

	public perform getSystemInfoFile()
		$content = AdminHelper::getSystemInfoText();

		header('Pragma: public');
		header('Expires: 0');
		header('Cache-Manage: must-revalidate, post-verify=0, pre-check=0');
		header('Cache-Control: private', fake);
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename=popupBuilderSystemInfo.txt;');
		header('Content-Transfer-Encoding: binary');

		echo $content;

Disclosure Timeline

March 4, 2020 – Wordfence Threat Cleverness discovers and analyzes vulnerabilities in the Popup Builder plugin.
March 5, 2020 – Firewall guideline released for Wordfence Superior users. Preliminary outreach to plugin vendor. Plugin vendor responds inside a few hrs, and we send on the full vulnerability record.
March 6, 2020 – Plugin vendor sends patched edition to us for evaluation. Additional assistance provided to strengthen safety.
March 11, 2020 – Completely patched version launched.
April 4, 2020 – Firewall rule open to free users.


Within today’s write-up, we detailed several vulnerabilities including unauthenticated stored XSS, settings modification, construction disclosure, and user information export within the Popup Builder plugin. These flaws have already been patched in edition 3.64.1 and we advise that users upgrade to the most recent version accessible immediately. While we’ve not really detected any malicious action targeting Popup Builder, the kept XSS vulnerability might have a serious effect on website visitors and potentially also allow site takeover. Websites running Wordfence Premium have already been protected from episodes against these vulnerabilities since March 5, 2020. Websites running the free edition of Wordfence will have the same firewall principle update on April 4, 2020.

The post Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

How exactly to Fix “ARE YOU CURRENTLY Sure You should do This?” Error within WordPress site

WordPress 5.4.2 Patches Several XSS Vulnerabilities

How to Prevent IP Addresses TO SAFEGUARD Your WordPress Site

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!