Vulnerability in Popup Builder plugin discovered
The vulnerability was discovered by WordFence on March 4, 2020 and subsequently contacted the developers. The WordPress plugin vulnerability affects versions of Popup Builder prior to version 3.64.1.
The plugin developers uploaded a patched file a week later on March 11 when the updated plugin was made available for download.
A changelog is an explanation of what an update is. It is important that a changelog be descriptive so that the plugin user can know that something is urgent.
Unfortunately, some WordPress plugin developers do not mention the security issue or describe it in vague and generic terms.
The Popup Builder plugin changelog indicates that there is a security update, but it does not mention its severity or importance. It’s vague but at least they reveal that the update fixes a security issue.
The update is described as “security patches” which technically communicates that a security issue has been fixed but does not provide the sense of urgency needed for a vulnerability of this severity.
Here is a screenshot of the Popup Builder changelog:
What are the vulnerabilities?
The second vulnerability allows the attacker to download subscriber lists and access numerous plug-in features.
This vulnerability affects more than 100,000 plugin users. It is important for publishers to download and update their plugins.
According to security plugin maker Wordfence:
“Typically, attackers use a vulnerability like this to redirect site visitors to malicious sites or steal sensitive information from their browsers, although it could also be used for site takeover if an administrator visited or previewed a page containing the infected pop-up while logged in.
It is very important to update this plugin. Failure to do so could invite hackers to take over a site.
Read WordFence’s announcement:
Fixed vulnerabilities in Popup Builder plugin affecting over 100,000 sites