WordPress Popup Maker Vulnerability Impacts Up To +700,000 Websites

WordPress Popup Maker Vulnerability Affects Up To +700,000 Sites

The U.S. authorities Nationwide Vulnerability Database issued an advisory a couple of Saved Cross-Website Scripting vulnerability within the standard Popup Maker plugin for WordPress.

Popup Maker for WordPress

A vulnerability was found within the “Popup Maker – Popup for opt-ins, lead gen, & extra” WordPress plugin which is put in in over 700,000 web sites.

The Popup Maker plugin integrates with most of the hottest contact varieties with options designed to drive conversions in WooCommerce shops, e-mail e-newsletter signups and different standard functions associated to steer technology.

Though the plugin has solely been round since 2021 it has skilled phenomenal development and earned over 4,000 five-star opinions.

Popup Maker Vulnerability

The vulnerability affecting this plugin known as saved cross-site scripting (XSS). It’s known as “saved” as a result of a malicious script is uploaded to the web site and saved on the server itself.

XSS vulnerabilities typically happen when an enter fails to sanitize what’s being uploaded. Anyplace {that a} person can enter information is can turn into weak there’s a lack of management over what could be uploaded.

This particular vulnerability can occur when a hacker can acquire the credentials of a person with no less than a contributor degree of entry initiates the assault.

The U.S. Authorities National Vulnerability Database describes the rationale for the vulnerability and the way an assault can occur:

“The Popup Maker WordPress plugin earlier than 1.16.9 doesn’t validate and escape one in all its shortcode attributes, which might enable customers with a task as little as contributor to carry out Saved Cross-Website Scripting assaults.”

An official changelog printed by the plugin creator signifies that the exploit permits an individual with contributor degree entry to run JavaScript.

The Popup Maker Plugin changelog for model V1.16.9 notes:

“Safety: Patched XSS vulnerability permitting contributors to run unfiltered JavaScript.”

Safety firm WPScan (owned by Automattic) printed a proof of idea that exhibits how the exploit works.

“As a contributor, put the next shortcode in a put up/web page

[pum_sub_form name_field_type=”fullname” label_name=”Name” label_email=”Email” label_submit=”Subscribe” placeholder_name=”Name” placeholder_email=”Email” form_layout=”block” form_alignment=”center” form_style=”default” privacy_consent_enabled=”yes” privacy_consent_label=”Notify me about related content and special offers.” privacy_consent_type=”radio” privacy_consent_radio_layout=”inline” privacy_consent_yes_label=”Yes” privacy_consent_no_label=”No” privacy_usage_text=”If you opt in above we use this information send related content, discounts and other special offers.” redirect_enabled redirect=”javascript:alert(/XSS/)”]

The XSS might be triggered when previewing/viewing the put up/web page and submitting the shape”

Whereas there isn’t any description of how dangerous the exploit could be, typically, Saved XSS vulnerabilities can have extreme penalties together with full website takeover, person information publicity and the planting of Computer virus packages.

There have been subsequent updates for the reason that unique patch was issued for model 1.16.9, together with a more recent replace that fixes a bug that was launched with the safety patch.

Essentially the most present model of the Popup Maker plugin is V1.17.1.

Publishers who’ve the plugin put in ought to think about updating the most recent model.


Learn the U.S. Authorities Nationwide Vulnerability Database advisory:

CVE-2022-4381 Detail

Learn the WPScan Advisory

Popup Maker < 1.16.9 – Contributor+ Stored XSS via Subscription Form

Featured picture by Shutterstock/Asier Romero

Source link

Leave A Comment



Our purpose is to build solutions that remove barriers preventing people from doing their best work.

Giza – 6Th Of October
(Sunday- Thursday)
(10am - 06 pm)

No products in the cart.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the comparison bar