The Vulnerability was found by WordFence on March 4, 2020 and accordingly reached the plugin developers. The WordPress plugin weakness influences Popup Builder versions that are less then version 3.64.1.
The plugin developers transferred a fixed document seven days after the fact on March 11, when the updated plugin was became available for download.
A changelog is a clarification of what an update is about. It’s significant for a changelog to be enlightening so that the plugin user can realize that something is urgent.
Sadly, some WordPress plugin developers either don’t make reference to the security issue or portray it in obscure and conventional terms.
Popup Builder plugin’s changelog noticed that there is a security update however it doesn’t make reference to the seriousness or significance of it. It’s dubious but atleast they uncover that the update tends to a security concern.
The update is explained as “Security fixes” which actually imparts that a security issue has been fixed but doesn’t provide a sense of urgency necessary for a vulnerability of this seriousness.
The second vulnerability permits the attacker to download subscriber lists and access various plugin features.
This vulnerability influences more than 100,000 plugin users. It’s significant for publishers to download and update their plugins.
As indicated by security plugin creator Wordfence:
“Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in.”
It’s critical to update this plugin. Failure to do so could welcome attackers to assume control over a site.
We at CodeLedge, provide the best WordPress Website, WordPress Theme Customization and WordPress Plugin Development in Sweden. Feel free to discuss your queries with us. Email us at firstname.lastname@example.org or get a quote from here.