Multiple vulnerabilities in Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter plugin



Published: 2020-03-13
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2020-10196
CVE-2020-10195
CWE-ID CWE-79
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
Web applications / Modules and components for CMS

Vendor Sygnoos

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Stored cross-site scripting

EUVDB-ID: #VU26054

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10196

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "allPopupData" parameter in "wp-admin/admin-ajax.php". A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter: 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.9.1, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.9.1, 2.5.9.2, 2.5.9.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.3.1, 2.6.3.2, 2.6.3.3, 2.6.4, 2.6.4.1, 2.6.4.2, 2.6.4.3, 2.6.4.4, 2.6.4.5, 2.6.4.5.1, 2.6.4.6, 2.6.5, 2.6.6, 2.6.7, 2.6.7.1, 2.6.7.2, 2.6.7.3, 2.6.7.4, 2.6.7.5, 2.6.7.6, 3.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.9.1, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.4.1, 3.1.5, 3.1.5.1, 3.1.5.2, 3.1.6, 3.1.6.1, 3.1.7, 3.1.7.1, 3.1.8, 3.1.9, 3.2, 3.3, 3.4, 3.41, 3.42, 3.43, 3.44, 3.45, 3.46, 3.47, 3.48, 3.49, 3.50, 3.51, 3.52, 3.53, 3.54, 3.55, 3.56, 3.57, 3.58, 3.59, 3.60, 3.61, 3.61.1, 3.62, 3.62.1, 3.63

CPE2.3 External links

http://wpvulndb.com/vulnerabilities/10127/
http://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-over-100000-sites/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU26055

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10195

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in several actions. A remote authenticated attacker can send a specially crafted HTTP POST request and export a list of all newsletter subscribers, export system configuration information and grant themselves access to various features of the plugin.

The vulnerable actions included:

  • add_action('admin_post_csv_file', array($this, 'getSubscribersCsvFile'));
  • add_action('admin_post_sgpb_system_info', array($this, 'getSystemInfoFile'));
  • add_action('admin_post_sgpbSaveSettings', array($this, 'saveSettings'), 10, 1);

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter: 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.9.1, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.9.1, 2.5.9.2, 2.5.9.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.3.1, 2.6.3.2, 2.6.3.3, 2.6.4, 2.6.4.1, 2.6.4.2, 2.6.4.3, 2.6.4.4, 2.6.4.5, 2.6.4.5.1, 2.6.4.6, 2.6.5, 2.6.6, 2.6.7, 2.6.7.1, 2.6.7.2, 2.6.7.3, 2.6.7.4, 2.6.7.5, 2.6.7.6, 3.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.9.1, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.4.1, 3.1.5, 3.1.5.1, 3.1.5.2, 3.1.6, 3.1.6.1, 3.1.7, 3.1.7.1, 3.1.8, 3.1.9, 3.2, 3.3, 3.4, 3.41, 3.42, 3.43, 3.44, 3.45, 3.46, 3.47, 3.48, 3.49, 3.50, 3.51, 3.52, 3.53, 3.54, 3.55, 3.56, 3.57, 3.58, 3.59, 3.60, 3.61, 3.61.1, 3.62, 3.62.1, 3.63

CPE2.3 External links

http://wpvulndb.com/vulnerabilities/10127/
http://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-ove...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###