Experts from Defiant company discovered a problem in WordPress-plugin Slick Popup, from which attackers can get into vulnerable websites and create backdoor-accounts. Issue affects all plugins’ versions, including the newest 1.7.1.Plugin Slick Popup accounts about 7000 installations and was developed by Om Ak Solutions. Slick Popup created for working in conjunction with other popular WordPress solution – Contact Form 7.
Defiant researchers noted that in Slick Popup present dangerous functionality that in case of turning to technical support allows the user of the plugin to provide access to Om Ak Solutions specialists.
The problem is that for this purpose used special account with the same credentials for all installations: Slickpopupteam/OmakPass13 #.
Experts fear that attackers can easily compile lists of all sites using Slick Popup, and then check if there are special accounts for technical support.
Using this access, the attackers will be able to create other accounts themselves, leaving a backdoor on the site. In addition,level of access of an attacking user is unimportant, even simple “Subscriber” can create a backdoor.
“Attackers with at least Subscriber access to an affected site can create this user on their own. Since the AJAX action used to generate this user doesn’t contain any capabilities checks, it can be accessed by any logged-in user. This, combined with the hard-coded credentials in the plugin, means any user with an account can grant themselves administrative access and take over a site”, — reported in Defiant.
Currently, Om Ak Solutions developers have prepared a patch for the paid version of the plug-in only, while the free version is still vulnerable (although it is temporarily unavailable for download).
As a result, Defiant experts strongly recommend that users should temporarily disable or remove Slick Popup altogether. However, there is a third option: deactivate access function for technical support (action_splite_support_access AJAX), thereby limiting the creation of new accounts. However, researchers warn that this will not help to eliminate already existing backdoor account.