The U.S. authorities Nationwide Vulnerability Database issued an advisory a couple of Saved Cross-Web site Scripting vulnerability within the common Popup Maker plugin for WordPress.
Popup Maker for WordPress
A vulnerability was found within the “Popup Maker – Popup for opt-ins, lead gen, & extra” WordPress plugin which is put in in over 700,000 web sites.
The Popup Maker plugin integrates with most of the hottest contact types with options designed to drive conversions in WooCommerce shops, electronic mail e-newsletter signups and different common purposes associated to guide era.
Though the plugin has solely been round since 2021 it has skilled phenomenal development and earned over 4,000 five-star opinions.
Popup Maker Vulnerability
The vulnerability affecting this plugin known as saved cross-site scripting (XSS). It’s known as “saved” as a result of a malicious script is uploaded to the web site and saved on the server itself.
XSS vulnerabilities typically happen when an enter fails to sanitize what’s being uploaded. Wherever {that a} person can enter knowledge is can grow to be weak there’s a lack of management over what may be uploaded.
This particular vulnerability can occur when a hacker can achieve the credentials of a person with at the least a contributor stage of entry initiates the assault.
The U.S. Authorities Nationwide Vulnerability Database describes the rationale for the vulnerability and the way an assault can occur:
“The Popup Maker WordPress plugin earlier than 1.16.9 doesn’t validate and escape one in every of its shortcode attributes, which may enable customers with a task as little as contributor to carry out Saved Cross-Web site Scripting assaults.”
An official changelog revealed by the plugin writer signifies that the exploit permits an individual with contributor stage entry to run JavaScript.
The Popup Maker Plugin changelog for model V1.16.9 notes:
“Safety: Patched XSS vulnerability permitting contributors to run unfiltered JavaScript.”
Safety firm WPScan (owned by Automattic) revealed a proof of idea that exhibits how the exploit works.
“As a contributor, put the next shortcode in a put up/web page
[pum_sub_form name_field_type=”fullname” label_name=”Name” label_email=”Email” label_submit=”Subscribe” placeholder_name=”Name” placeholder_email=”Email” form_layout=”block” form_alignment=”center” form_style=”default” privacy_consent_enabled=”yes” privacy_consent_label=”Notify me about related content and special offers.” privacy_consent_type=”radio” privacy_consent_radio_layout=”inline” privacy_consent_yes_label=”Yes” privacy_consent_no_label=”No” privacy_usage_text=”If you opt in above we use this information send related content, discounts and other special offers.” redirect_enabled redirect=”javascript:alert(/XSS/)”]
The XSS can be triggered when previewing/viewing the put up/web page and submitting the shape”
Whereas there isn’t any description of how dangerous the exploit may be, on the whole, Saved XSS vulnerabilities can have extreme penalties together with full web site takeover, person knowledge publicity and the planting of Computer virus applications.
There have been subsequent updates because the unique patch was issued for model 1.16.9, together with a more moderen replace that fixes a bug that was launched with the safety patch.
Essentially the most present model of the Popup Maker plugin is V1.17.1.
Publishers who’ve the plugin put in ought to think about updating the most recent model.
Leave a Reply