The flaw could have let attackers send out custom newsletters and delete newsletter subscribers from 200,000 affected websites.
Developers of a plugin, used by WordPress websites for building pop-up ads for newsletter subscriptions, have issued a patch for a serious flaw. The vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
The plugin in question is Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter, from developer Sygnoos. The plugin has been installed on 200,000 WordPress websites. Versions 3.71 and below are affected by the vulnerability (a fix has been issued in version 3.72; and the latest version is 3.73).
“The only requirement for exploitation is that the user is logged in and has access to the nonce token,” said researchers with WebArx on Friday. “It is affecting methods which in turn could cause damage to the reputation and security status of the site.”
The issue stems from a lack of authorization for AJAX methods in the plugin. AJAX is a set of web-development techniques that are used to create web applications; the AJAX method is used to perform an AJAX request.
In this case, the AJAX method does not check the capability of the user. Because of this, the AJAX endpoint, intended to only be accessible to administrators, actually also could allow subscriber-level users to perform a number of actions that can compromise the site’s security, researchers said. A subscriber is a user role in WordPress, usually the with very limited capabilities, including logging into the website and leaving comments.
One vulnerable method is related to the importConfigView.php file. Without authorization, attackers could utilize this method to import a list of subscribers from a remote URL, which is then handled in the method saveImportedSubscribers. Attackers could also leverage the importConfigView.php file to import malicious files from the remote URL. The only limitation is that if it is not a legitimate CSV file (files designed to easily export data and import it into other programs), the file will only output the first line of the given file, said researchers. Another vulnerable method allows attackers to send out a newsletter using newsletter data taken from the $_POST[‘newsletterData’] user input variable.
“This can also include custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers,” said researchers.
Researchers noted that a nonce token is checked – but because this nonce token is sent to all users regardless of their capabilities, any user can execute the vulnerable AJAX methods as long as they pass the nonce token. A nonce is a cryptographic number, used by authentication protocols to protect private communications by preventing replay attacks.
Researchers discovered the flaw on Dec. 2, 2020, and notified the developer on the same day. A patch was released for the flaw on Jan. 22, 2021 in version 3.72 of the plugin. In this version, the AJAX actions now have an authorization check barring attackers from exploiting the flaw.
WordPress plugins have been found to have serious vulnerabilities. Earlier in January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!