Defiant researchers noted that in Slick Popup present dangerous functionality that in case of turning to technical support allows the user of the plugin to provide access to Om Ak Solutions specialists.
The problem is that for this purpose used special account with the same credentials for all installations: Slickpopupteam/OmakPass13 #.
Experts fear that attackers can easily compile lists of all sites using Slick Popup, and then check if there are special accounts for technical support.
Using this access, the attackers will be able to create other accounts themselves, leaving a backdoor on the site. In addition,level of access of an attacking user is unimportant, even simple “Subscriber” can create a backdoor.
“Attackers with at least Subscriber access to an affected site can create this user on their own. Since the AJAX action used to generate this user doesn’t contain any capabilities checks, it can be accessed by any logged-in user. This, combined with the hard-coded credentials in the plugin, means any user with an account can grant themselves administrative access and take over a site”, — reported in Defiant.
Currently, Om Ak Solutions developers have prepared a patch for the paid version of the plug-in only, while the free version is still vulnerable (although it is temporarily unavailable for download).
As a result, Defiant experts strongly recommend that users should temporarily disable or remove Slick Popup altogether. However, there is a third option: deactivate access function for technical support (action_splite_support_access AJAX), thereby limiting the creation of new accounts. However, researchers warn that this will not help to eliminate already existing backdoor account.
Source: https://www.wordfence.com/blog
About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…
About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…
About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…
About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…
About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…
About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…