CVE-2023-6000 - Critical Security Vulnerability in the Popup Builder WordPress Plugin

In this long read post, we will examine a critical security vulnerability in the Popup Builder WordPress plugin, identified as CVE-2023-6000. Affecting versions of the plugin prior to 4.2.3, this vulnerability allows simple visitors to update existing popups and inject raw JavaScript into them, potentially leading to Stored XSS attacks.

Below, we will provide the necessary code snippets, original references, and full exploit details to help you understand the vulnerability and learn how to protect your WordPress site.

Description of the vulnerability

The Popup Builder WordPress plugin is a highly popular plugin used by many for creating engaging pop-ups. However, it was discovered that the plugin before version 4.2.3 did not properly prevent simple visitors from updating existing popups. Consequently, attackers could exploit this vulnerability and inject malicious JavaScript code into the popup content, leading to dangerous Stored XSS attacks.

Code snippet demonstrating the vulnerability

To demonstrate this vulnerability, let's consider a simple code snippet that shows how an attacker could potentially update existing popups and inject malicious JavaScript code:

POST /wp-admin/admin-ajax.php?action=sgpb_add_new_popup
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

popupType=simple_popup&sgpb_popup_title=Test+Popup&sgpb_content=%3Cscript%3Ealert(1)%3C%2Fscript%3E&sgpb_add_popup_nonce=XXXXXXXX

In this example, the attacker submits a POST request to admin-ajax.php, specifying the sgpb_add_new_popup action. They provide the required parameters, such as the popup type (simple_popup), the popup title (Test Popup), and the malicious content (<script>alert(1)</script>). The content parameter contains the raw JavaScript code that would execute the alert function, which is indicative of a possible Stored XSS attack.

Please note that this example serves merely as a demonstration and should not be used for exploiting the vulnerability in any real-world situation.

Original references

The vulnerability was initially discovered and reported by security researchers from MindCraft.MainA at the following URL:

- Popup Builder version < 4.2.3 Auth Bypass leading to Stored XSS

Subsequently, the WordPress plugin authors acknowledged the vulnerability and released a patch in version 4.2.3 of the plugin:

- Popup Builder - Changelog

Identify the target WordPress site that uses the Popup Builder plugin with a version before 4.2.3.

2. Create a POST request to the target site's admin-ajax.php with the required parameters and the malicious content.
3. Wait for an unsuspecting user or administrator to interact with the updated popup containing the injected JavaScript code.
4. Execute malicious actions within the context of the user or administrator, such as injecting malicious scripts, stealing session cookies, or performing unauthorized actions.

Update the Popup Builder to the latest version (>= 4.2.3).

2. Ensure that you have the latest security patches installed for your WordPress site and other plugins.

Regularly review your WordPress site's plugin usage, removing any unnecessary or outdated plugins.

4. Implement a strict Content Security Policy (CSP) to help mitigate the potential impact of XSS attacks.

Conclusion

In conclusion, CVE-2023-6000 is a critical security vulnerability in the Popup Builder WordPress plugin, which allows simple visitors to update existing popups and inject malicious JavaScript into them. This vulnerability can lead to dangerous Stored XSS attacks if not properly mitigated. By understanding the exploit details and taking the necessary steps to protect your WordPress site, you can safeguard against such attacks and keep your user data secure.

Timeline

Published on: 01/01/2024 15:15:43 UTC
Last modified on: 01/08/2024 15:14:56 UTC