Multiple vulnerabilities in Popup-Maker < plugin for WordPress
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-17574 |
| CWE-ID | CWE-284 CWE-352 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
Popup Maker - Popup Forms, Optins & More Web applications / Modules and components for CMS |
| Vendor | Daniel Iser |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU21964
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-17574
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to calls which can be performed and require no authentication. A remote attacker can call any method which contains an action starting from "popmake_" or "pum_", execute functions which do not require arguments (e.g: PUM_Admin_Tools::sysinfo_download or PUM_Admin_Tools::sysinfo_display) and obtain information regarding WordPress Plugins (active/inactive), the Webserver Configuration, the PHP Configuration and more.
PoC:
- curl http://www.your-domain-with-popup-maker.com/?pum_action=tools_page_tab_system_info
- curl -v -d “popmake_action=popup_sysinfo&popmake-sysinfo=choose any content you like” -X POST http://www.your-domain-with-popup-maker.com/
Install updates from vendor's website.
Vulnerable software versionsPopup Maker - Popup Forms, Optins & More: 1.0 - 1.8.12
CPE2.3- cpe:2.3:a:danieliser:popup-maker:1.0:*:*:*:*:wordpress:*:*
- cpe:2.3:a:danieliser:popup-maker:1.0.1:*:*:*:*:wordpress:*:*
- cpe:2.3:a:danieliser:popup-maker:1.0.2:*:*:*:*:wordpress:*:*
https://blog.redyops.com/wordpress-plugin-popup-maker/
https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Cross-site request forgery
EUVDB-ID: #VU21965
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "_wpnonce" or "pum_tools_nonce" nonces. A remote attacker can trick the victim to visit a specially crafted web page with "popmake-system-info.txt" file and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPopup Maker - Popup Forms, Optins & More: 1.0 - 1.8.12
CPE2.3- cpe:2.3:a:danieliser:popup-maker:1.0:*:*:*:*:wordpress:*:*
- cpe:2.3:a:danieliser:popup-maker:1.0.1:*:*:*:*:wordpress:*:*
- cpe:2.3:a:danieliser:popup-maker:1.0.2:*:*:*:*:wordpress:*:*
https://blog.redyops.com/wordpress-plugin-popup-maker/
https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
