The U.S. authorities Nationwide Vulnerability Database issued an advisory a couple of Saved Cross-Website Scripting vulnerability within the fashionable Popup Maker plugin for WordPress.
Popup Maker for WordPress
A vulnerability was found within the “Popup Maker – Popup for opt-ins, lead gen, & extra” WordPress plugin which is put in in over 700,000 web sites.
The Popup Maker plugin integrates with most of the hottest contact kinds with options designed to drive conversions in WooCommerce shops, electronic mail e-newsletter signups and different fashionable purposes associated to steer technology.
Though the plugin has solely been round since 2021 it has skilled phenomenal progress and earned over 4,000 five-star evaluations.
Popup Maker Vulnerability
The vulnerability affecting this plugin known as saved cross-site scripting (XSS). It’s referred to as “saved” as a result of a malicious script is uploaded to the web site and saved on the server itself.
XSS vulnerabilities usually happen when an enter fails to sanitize what’s being uploaded. Wherever {that a} consumer can enter information is can grow to be susceptible there’s a lack of management over what could be uploaded.
This particular vulnerability can occur when a hacker can achieve the credentials of a consumer with no less than a contributor stage of entry initiates the assault.
The U.S. Authorities Nationwide Vulnerability Database describes the rationale for the vulnerability and the way an assault can occur:
“The Popup Maker WordPress plugin earlier than 1.16.9 doesn’t validate and escape one in all its shortcode attributes, which may permit customers with a task as little as contributor to carry out Saved Cross-Website Scripting assaults.”
An official changelog revealed by the plugin creator signifies that the exploit permits an individual with contributor stage entry to run JavaScript.
The Popup Maker Plugin changelog for model V1.16.9 notes:
“Safety: Patched XSS vulnerability permitting contributors to run unfiltered JavaScript.”
Safety firm WPScan (owned by Automattic) revealed a proof of idea that exhibits how the exploit works.
“As a contributor, put the next shortcode in a submit/web page
[pum_sub_form name_field_type=”fullname” label_name=”Name” label_email=”Email” label_submit=”Subscribe” placeholder_name=”Name” placeholder_email=”Email” form_layout=”block” form_alignment=”center” form_style=”default” privacy_consent_enabled=”yes” privacy_consent_label=”Notify me about related content and special offers.” privacy_consent_type=”radio” privacy_consent_radio_layout=”inline” privacy_consent_yes_label=”Yes” privacy_consent_no_label=”No” privacy_usage_text=”If you opt in above we use this information send related content, discounts and other special offers.” redirect_enabled redirect=”javascript:alert(/XSS/)”]
The XSS can be triggered when previewing/viewing the submit/web page and submitting the shape”
Whereas there is no such thing as a description of how dangerous the exploit could be, on the whole, Saved XSS vulnerabilities can have extreme penalties together with full web site takeover, consumer information publicity and the planting of Computer virus applications.
There have been subsequent updates because the unique patch was issued for model 1.16.9, together with a more moderen replace that fixes a bug that was launched with the safety patch.
Essentially the most present model of the Popup Maker plugin is V1.17.1.
Publishers who’ve the plugin put in ought to contemplate updating the most recent model.
Citations
Learn the U.S. Authorities Nationwide Vulnerability Database advisory:
Learn the WPScan Advisory
Popup Maker < 1.16.9 – Contributor+ Saved XSS through Subscription Type
Featured picture by Shutterstock/Asier Romero
