Thursday, September 17, 16:43
Home security Error in WordPress plugin allows malicious code to be inserted

Error in WordPress plugin allows malicious code to be inserted

WordPress Builder Popup plugin has one vulnerability which allows malicious code to be inserted JavaScript, in popups, which can appear in the tens of thousands websites and steal sensitive information or even take complete control of a site.

The Popup Builder enables site owners to create, deploy, and manage custom popups that feature a wide range of HTML and JavaScript content, up to images, and video.

The creator of this add-on, Sygnoos, presents it as one tool which can help boost sales and revenue, through smart popups, for displaying ads, subscription requests, discounts and various other types of advertising content.

Errors discovered

As discovered by Defiant QA Engineer, Ram Gall errors these affect all versions up to Popup Builder 3.63.

"Usually attackers use such a vulnerability to redirect site visitors to malvertising sites or to steal sensitive information from their browsers, although they could also be used to redeem the site if a webmaster or visitor visited previewed a page containing the infected popup when logged in. "

Another bug discovered allows any logged-in user (with subscriber rights) to access plugin features, extract subscriber lists, and export system configuration information with a simple POST request to admin- post.php.

The bugs are designated CVE-2020-10196 and CVE-2020-10195 and allow XSS to be stored without authentication, configuration disclosure, user data extraction and modification of site settings.

Sygnoos fixed the security issues in Popup Builder version 3.64.1, a week after the bug was reported by Defiant.

To date, 66.000 sites are still exposed to attacks.

By the end of February, many hacker trying to exploit vulnerabilities in WordPress add-ons to install backdoors and create accounts that allow them to expose thousands of accounts to attacks.


Please enter your comment!
Please enter your name here

Absent Mia
Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement


Cerberus banking Trojan source code is available for free in hacking forums

The Cerberus banking Trojan source code was released as free malware in an underground hacking forum after a failed auction. Dmitry ...

Nintendo: The legendary 3DS console is out of the game

Three years after the release of the new Switch game, Nintendo decided to take the legendary 3DS console out of the game.

Project management: How a CTO can make a difference

From technical knowledge to creating departments and setting goals, here are the skills you need to improve if you want to ...

Five Chinese hackers of the "APT41" group face the US authorities

Five Chinese hackers are accused by the US of invading more than 100 companies around the world, while it seems that they are ...

Internet Explorer will alert you to the end of Adobe Flash

When you visit Flash content hosting sites, Internet Explorer 11 will warn you that Adobe Flash will not be supported after ...

Facebook: Hires a Remote Task Manager

Facebook has taken a big turn toward permanent remote work, and is hiring a manager to lead those efforts.

The optional Windows 10 KB4577062 update has been released

As expected, Microsoft has released the first batch of optional updates in September for Windows 10. The optional update is available ...

Telecom Italia: Is the EU against merging broadband networks?

The European Union is preparing to oppose the merger of Italy's broadband networks, controlled by Telecom Italia SpA.

Russian hackers accused by US of stealing millions through cryptocurrency phishing sites

The US Department of Justice (DoJ) yesterday filed charges against two Russian hackers, who seem to be behind a long ...

Google "bans" stalkerware applications from the Play Store

Google has made some changes to the Play Store to impose an "official ban" on stalkerware applications. However, this software allows ...