A vulnerability in the plugin Slick Popup lets hackers get into a WordPress website through a backdoor administrator account.

The flaw, found in all versions of Slick Popup up to 1.71 and discovered by researchers at Defiant, is in a feature designed to give the plugin’s developer, Om Ak Solutions, access to websites running Slick Popup.  The login credentials for the administrative accounts are the same for all of the sites.

“It seems that in an earlier version of the plugin, the source code did contain the unusable credentials YOURUSERNAME/YOURPASSWORD hardcoded and a safety check that these values have been changed by the site administrator or else the plugin would throw an error,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “But in the most recent version published, those dummy values have been changed to the hardcoded values slickpopupteam/OmakPass13#, rendering the safety check useless.”

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.