SB2019052804 - Hard-coded credentials in Slick Popup WordPress plugin
Published: May 28, 2019 Updated: June 13, 2019
Security Bulletin ID
SB2019052804
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Hard-coded credentials (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to privilege escalation flaw in the Slick Popup plugin that allows any user with Subscriber privileges to create an administrator account with default credentials. A remote attacker can then use the created account to take over the website.
Default credentials are:Username:slickpopupteam
Password:OmakPass13#
Remediation
Install update from vendor's website.