Security News > 2020 > March > Flaws in Popup Builder Plugin Impacted Over 100,000 WordPress Sites
More than 100,000 WordPress websites were potentially affected by a series of vulnerabilities recently discovered and addressed in the Popup Builder plugin.
Designed to help with the creation and management of promotional modal pop-ups for WordPress blogs and websites, Popup Builder also includes the ability to run custom JavaScript code when the pop-up is loaded.
Security researchers at WordPress security firm Defiant report that Popup Builder before version 3.64.1 is impacted by vulnerabilities that could allow attackers to inject malicious code without authentication, or leak user information and system configuration data.
While such vulnerabilities are typically abused to redirect users to malvertising sites or for information theft, the issue could also be leveraged for site takeover if the infected pop-up was displayed to a logged-in administrator, Defiant says.
The vulnerabilities were reported to the plugin's developer on March 5, with a fully patched version of Popup Builder released on March 11.