Defective WordPress popup plugin allows attackers to inject malicious code
Security flaws in the Popup Builder plugin put thousands of websites at risk.
A vulnerability has been found in a popular WordPress plugin called Popup Builder, which can inject malicious JavaScript code into pop-ups to help unauthorized attackers steal information and take full control of the target site.

The plugin provides site owners with the ability to create, deploy and manage customizable pop-ups using a variety of content, from HTML and JavaScript code to images and videos. Signs, the developer of Popup Builder, says businesses can leverage this through smart pop-ups that can be used to display ads, subscription requests, discounts, and other promotional content to boost sales and profits.
The security flaw in the plugin affected all versions of Popup Builder up to version 3.63 and was first discovered by Ram Gall, who works as Defiant’s QA engineer. Gall provided details on how attackers use the vulnerabilities found in plugins in blog posts as follows:
“In general, an attacker could use this vulnerability to redirect site visitors to a malicious ad site or steal sensitive information from a browser but could be used to take over a site if an administrator visits or previews a page containing an infected pop-up while logged in. There is.”
Popup builder vulnerability
One of the vulnerabilities that Gall found in the Popup Builder plug-in could allow an unauthorized attacker to insert malicious JavaScript code into a published pop-up, causing it to run whenever code is loaded.
Other vulnerabilities allow logged-in users (users with low subscriber privileges) to access plug-in functionality to export subscriber lists and system configuration information using simple POST requests to admin-post.php.
After Gall released a bug to the company, security flaws tracked as CVE-2020-10196 and CVE-2020-10195 were fixed with the release of Popup Builder version 3.65.1 by Cygnus.
However, of the more than 100,000 plugin users, only 33,000 have been updated to the latest version. This means that more than 66,000 sites with older versions of Popup Builder are still vulnerable, making them a target for hackers.