The Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter plugin (versions 3.71 and below) suffers from a lack of authorization in most AJAX methods.
The Popup Builder WordPress plugin has 200 000+ active installations and the latest version available is 3.73.
See all Popup Builder vulnerabilities.
This in turn results in multiple vulnerabilities such as the ability to send out newsletters with custom content and sender, local file inclusion (limited to first-line), deleting subscribers, importing subscribers, and more.
The Popup Builder plugin is described as a plugin that allows you to create and manage powerful promotion modal popups for your WordPress blog or website.
The vulnerability in the Popup Builder plugin
The authorization issues in the plugin are caused due to many of the AJAX methods not checking the capability of the user. A method to check the capability of the user is present in the plugin but was not used in these methods.
A nonce token on the other hand is checked but since this nonce token is sent to all users regardless of their capabilities, any user can execute the vulnerable AJAX methods as long as they pass the nonce token.
Vulnerable methods
A snippet of one of the vulnerable methods is shown below along with the importConfigView.php file it includes. This method allows you to import a list of subscribers from a remote URL, which is then handled in the method saveImportedSubscribers.
The remote URL taken from $_POST['importListURL'] can also be the absolute path to a local file since the file importConfigView.php (displayed in the second code snippet), which is loaded in the importSubscribers method, uses the file PHP method to load its contents.
add_action('wp_ajax_sgpb_import_subscribers', array($this, 'importSubscribers'));
//
public function importSubscribers()
{
check_ajax_referer(SG_AJAX_NONCE, 'nonce');
$formId = (int)sanitize_text_field($_POST['popupSubscriptionList']);
$fileURL = sanitize_text_field($_POST['importListURL']);
ob_start();
require_once SG_POPUP_VIEWS_PATH.'importConfigView.php';
$content = ob_get_contents();
ob_end_clean();
echo $content;
wp_die();
}
<?php
use sgpbAdminHelper;
use sgpbSubscriptionPopup;
@ini_set('auto_detect_line_endings', '1');
$fileContent = AdminHelper::getFileFromURL($fileURL);
$csvFileArray = array_map('str_getcsv', file($fileURL));
//....
An example of another vulnerable method is shown below. This method allows someone to send out a newsletter using newsletter data taken from the $_POST['newsletterData'] user input variable.
This can also include custom email body content, email sender, and several other attributes that will essentially allow a malicious user to send out emails to all subscribers.
add_action('wp_ajax_sgpb_send_newsletter', array($this, 'sendNewsletter'));
//
public function sendNewsletter()
{
check_ajax_referer(SG_AJAX_NONCE, 'nonce');
global $wpdb;
$newsletterData = stripslashes_deep($_POST['newsletterData']);
if (isset($newsletterData['testSendingStatus']) && $newsletterData['testSendingStatus'] == 'test') {
AdminHelper::sendTestNewsletter($newsletterData);
}
$subscriptionFormId = (int)$newsletterData['subscriptionFormId'];
$updateStatusQuery = $wpdb->prepare('UPDATE '.$wpdb->prefix.SGPB_SUBSCRIBERS_TABLE_NAME.' SET status = 0 WHERE subscriptionType = %d', $subscriptionFormId);
$wpdb->query($updateStatusQuery);
$newsletterData['blogname'] = get_bloginfo('name');
$newsletterData['username'] = wp_get_current_user()->user_login;
update_option('SGPB_NEWSLETTER_DATA', $newsletterData);
wp_schedule_event(time(), 'sgpb_newsletter_send_every_minute', 'sgpb_send_newsletter');
wp_die();
}
The only requirement for exploitation is that the user is logged in and has access to the nonce token. Since this affects a large number of methods, they will not all be listed in this blog post.
However, it is affecting methods which in turn could cause damage to the reputation and security status of the site.
The timeline of the Popup Builder plugin vulnerability
2nd December 2020 - We discovered the vulnerability and released a vPatch to all Patchstack customers.
2nd December 2020- We reported the issue to the developer of the Popup Builder plugin.
3rd December 2020 - The developer replied and started working on a fix.
8th December 2020 - The developer released version 3.71 which only added an authorization check to the AJAX method to send newsletters, not all of them.
4th of January 2021 - Asked the developer for an update regarding progress on a new fixed version.
12th of January 2021 - No response so far, asked the developer for an update again.
22nd of January 2021 - Version 3.72 was released which contains the proper fixes, the AJAX actions now have an authorization check.
28th of January 2021 - Published the article.
Websites with Patchstack installed are protected from the issue and have received a vPatch.
