The creator of this add-on, Sygnoos, presents it as one tool which can help boost sales and revenue, through smart popups, for displaying ads, subscription requests, discounts and various other types of advertising content.
As discovered by Defiant QA Engineer, Ram Gall errors these affect all versions up to Popup Builder 3.63.
"Usually attackers use such a vulnerability to redirect site visitors to malvertising sites or to steal sensitive information from their browsers, although they could also be used to redeem the site if a webmaster or visitor visited previewed a page containing the infected popup when logged in. "
Another bug discovered allows any logged-in user (with subscriber rights) to access plugin features, extract subscriber lists, and export system configuration information with a simple POST request to admin- post.php.
The bugs are designated CVE-2020-10196 and CVE-2020-10195 and allow XSS to be stored without authentication, configuration disclosure, user data extraction and modification of site settings.
Sygnoos fixed the security issues in Popup Builder version 3.64.1, a week after the bug was reported by Defiant.
To date, 66.000 sites are still exposed to attacks.