The security flaws in the plugin, which affect all versions of Popup Builder up to version 3.63, were first discovered by Ram Gall who works as a QA engineer at Defiant. Gall provided further details on how an attacker would use the vulnerabilities he found in the plugin in a blog post, saying:
“Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in.”
The other vulnerability makes it possible for any user that is logged in (with permissions as low as a subscriber) to gain access to plugin features to export subscriber lists and system configuration info using a simple POST request to admin-post.php.
The security flaws, tracked as CVE-2020-10196 and CVE-2020-10195, have both been fixed by Sygnoos with the release of Popup Builder version 3.65.1, after Gall disclosed the bugs to the company.
However, only 33,000 users of the plugin’s 100,000+ users have updated to the latest version which means that over 66,000 sites with previous versions of Popup Builder are still vulnerable and could be targeted by hackers.