WordPress Popup Maker Vulnerability Affects Up To +700,000 Sites


The U.S. authorities Nationwide Vulnerability Database issued an advisory a couple of Saved Cross-Web site Scripting vulnerability within the in style Popup Maker plugin for WordPress.

Popup Maker for WordPress

A vulnerability was found within the “Popup Maker – Popup for opt-ins, lead gen, & extra” WordPress plugin which is put in in over 700,000 web sites.

The Popup Maker plugin integrates with most of the hottest contact varieties with options designed to drive conversions in WooCommerce shops, e mail publication signups and different in style purposes associated to steer era.

Though the plugin has solely been round since 2021 it has skilled phenomenal development and earned over 4,000 five-star evaluations.

Popup Maker Vulnerability

The vulnerability affecting this plugin is named saved cross-site scripting (XSS). It’s known as “saved” as a result of a malicious script is uploaded to the web site and saved on the server itself.

XSS vulnerabilities typically happen when an enter fails to sanitize what’s being uploaded. Wherever {that a} consumer can enter knowledge is can grow to be susceptible there’s a lack of management over what might be uploaded.

This particular vulnerability can occur when a hacker can achieve the credentials of a consumer with not less than a contributor degree of entry initiates the assault.

The U.S. Authorities Nationwide Vulnerability Database describes the explanation for the vulnerability and the way an assault can occur:

“The Popup Maker WordPress plugin earlier than 1.16.9 doesn’t validate and escape one in all its shortcode attributes, which might enable customers with a task as little as contributor to carry out Saved Cross-Web site Scripting assaults.”

An official changelog revealed by the plugin creator signifies that the exploit permits an individual with contributor degree entry to run JavaScript.

The Popup Maker Plugin changelog for model V1.16.9 notes:

“Safety: Patched XSS vulnerability permitting contributors to run unfiltered JavaScript.”

Safety firm WPScan (owned by Automattic) revealed a proof of idea that reveals how the exploit works.

“As a contributor, put the next shortcode in a submit/web page

[pum_sub_form name_field_type=”fullname” label_name=”Name” label_email=”Email” label_submit=”Subscribe” placeholder_name=”Name” placeholder_email=”Email” form_layout=”block” form_alignment=”center” form_style=”default” privacy_consent_enabled=”yes” privacy_consent_label=”Notify me about related content and special offers.” privacy_consent_type=”radio” privacy_consent_radio_layout=”inline” privacy_consent_yes_label=”Yes” privacy_consent_no_label=”No” privacy_usage_text=”If you opt in above we use this information send related content, discounts and other special offers.” redirect_enabled redirect=”javascript:alert(/XSS/)”]

The XSS shall be triggered when previewing/viewing the submit/web page and submitting the shape”

Whereas there is no such thing as a description of how dangerous the exploit might be, generally, Saved XSS vulnerabilities can have extreme penalties together with full web site takeover, consumer knowledge publicity and the planting of Computer virus packages.

There have been subsequent updates because the unique patch was issued for model 1.16.9, together with a more moderen replace that fixes a bug that was launched with the safety patch.

Probably the most present model of the Popup Maker plugin is V1.17.1.

Publishers who’ve the plugin put in ought to take into account updating the newest model.


Learn the U.S. Authorities Nationwide Vulnerability Database advisory:

CVE-2022-4381 Element

Learn the WPScan Advisory

Popup Maker < 1.16.9 – Contributor+ Saved XSS by way of Subscription Type

Featured picture by Shutterstock/Asier Romero


Scroll to Top