Multiple Vulnerabilities In WordPress Plugin Popup Builder
WebARX has reported that the Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter plugin (versions 3.71 and below) suffers from a lack of authorization in most AJAX methods.
The Popup Builder WordPress plugin has 200 000+ active installations.
According to WebARX the authorization issues in the plugin are caused due to many of the AJAX methods not checking the capability of the user. A method to check the capability of the user is present in the plugin but was not used in these methods.
A nonce token on the other hand is checked but since this nonce token is sent to all users regardless of their capabilities, any user can execute the vulnerable AJAX methods as long as they pass the nonce token.
If you use this plugin please ensure you update to the latest version, at the time of publication this is version 3.73
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.