A vulnerability in the plugin Slick Popup lets hackers get into a WordPress website through a backdoor administrator account.
The flaw, found in all versions of Slick Popup up to 1.71 and discovered by researchers at Defiant, is in a feature designed to give the plugin’s developer, Om Ak Solutions, access to websites running Slick Popup. The login credentials for the administrative accounts are the same for all of the sites.
“It seems that in an earlier version of the plugin, the source code did contain the unusable credentials YOURUSERNAME/YOURPASSWORD hardcoded and a safety check that these values have been changed by the site administrator or else the plugin would throw an error,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “But in the most recent version published, those dummy values have been changed to the hardcoded values slickpopupteam/OmakPass13#, rendering the safety check useless.”
Once hackers are logged in, they can create additional backdoors. The company initially offered a fix for its paid offering, but not a patch for users of the free version of Slick Popup, which has since been made unavailable for download.
Hahad called the vulnerability “unsettling” for many reasons. “First of all, I am appalled at why did the developer leave a backdoor account with a hardcoded username and password in the publicly released version of the plugin, where anyone can see those values,” said Hahad. “Secondly, I am surprised at the reaction of the developer not to provide a fix for the free version given it is open source, and only provide it for the paid subscribers.”
The vulnerability also “goes a long way to highlight the misconception that because a software is open source, it must be safe to use,” he said. “You really have to do your legwork before integrating a third-party package in your solution, and that includes not only looking for potential gaps in the downloaded version, but also in the security posture of the provider to avoid any future supply chain attack.”
“The Slick Popup plugin opens a backdoor for developers with administrator access,” said Jonathan Olivera, threat analyst at Centripetal. “There is a balance that needs to be struck where leadership must identify their priorities in terms of convince and security.”
Olivera explained that granting “access to entities outside an organization must be taken extremely seriously because security professionals will now need to worry about the security standards at the entity in question as it is now an added and unknown domain.”
The vulnerability demonstrates that “security on open-source platforms like WordPress is only as strong as its weakest link – or the weakest plugin that users happen to install,” said Vinay Mamidi, senior director of product management at Virsec. “With thousands of plugins available, it’s hard for end customers to know where a third-party developer might have taken shortcuts that compromise security for the whole stack.”
