WordPress is facing more vulnerabilities, this time in its Popup Builder plugin. The flaw allows unauthenticated attackers to inject malicious JavaScript into popups, which can then affect tens of thousands of websites and allow the attacker to steal information and take over targeted sites in the worst-case scenario. The plugin was created to allow WordPress users to create, deploy and manage popups that contain a wide range of content from both HTML and JavaScript code.
The plugin’s developer Sygnoos stated that it is a tool that increases revenue via smart pop-ups used to display ads, subscription requests, and other promotional content. However, the vulnerability discovered by a Defiant QA Engineer can affect all versions up to and including Popup Builder 3.623.
Read More: WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites
