MalCare Defends Against Login/Signup Popup Privilege Escalation Vulnerability

by

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Imagine realizing that your once-secure office building, with restricted access to only trusted personnel, is now accessible to unauthorized individuals who have the same executive privileges as you!

Now, imagine that office building to be your WordPress siteā€¦ Scary, right?

This alarming scenario recently became a reality for websites that use the Login/Signup Popup plugin, which was hit by a critical privilege escalation vulnerability. Due to this vulnerability, any ordinary subscriber could promote themselves to an administrator level, gaining the authority to alter content, install potentially dangerous software, and overall, take full control of your site.

If you have the Login/Signup Popup plugin installed, scan your site immediately with MalCare!

What is the vulnerability?

Plugin information

  • Vulnerable plugin versions: v2.7.1 and v2.7.2
  • Patch release version: v2.7.3

About the vulnerability

Login/Signup Popup is a plugin that simplifies user registration, login, and password reset processes. It boasts extensive customizability for forms and has over 40,000 active installations.

Login/Signup Popup plugin

The Login/Signup Popup plugin is vulnerable to privilege escalation due to improper usage of the import_settings() function in v2.7.1 and v2.7.2.

The import_settings() function is used to import the plugin’s admin settings. However, in the vulnerable version, this function lacked both capability checks and nonce checks. This omission allows authenticated attackers with subscriber-level permissions to invoke the AJAX function.

Upon further investigation, it was discovered that there are no restrictions on the option names that can be updated. Crucially, this means the settings that can be modified are not confined to the pluginā€™s own settings. As a result, attackers can update arbitrary options by sending direct requests to the server with chosen option names and values.

Vulnerable code

WordPress site options influence a range of settings including site URLs, general settings, registration, and user roles, among others. Like any Arbitrary Options Update vulnerability, this can facilitate a full site compromise. And this can be initiated with just Subscriber-level access. Consequently, this vulnerability has been assigned a CVSS score of 8.8 (High).

For instance, an attacker can change the default registration role to administrator and enable user registration (if it wasnā€™t already enabled). After altering the site options, the attacker can create an administrative account on the WordPress site. Once registered and logged in, they can manipulate the site as a normal administrator would, including uploading plugins and theme filesā€”which might be malicious ZIP files containing backdoorsā€”and modifying posts and pages to redirect site users to malicious sites.

Nevertheless, MalCareā€™s dynamic Atomic Security firewall remained proactive during the entire development process. Leveraging in-depth WordPress knowledge, it automatically updated itself to defend against the Login/Signup Popup vulnerability. As a result, our users continue to benefit from uninterrupted, robust protection.

This vulnerability has now been fixed with the release of Login/Signup Popup v2.7.3 on May 28, 2024.

Who discovered this vulnerability?

The Login/Signup Popup privilege escalation vulnerability was discovered by independent security researcher 1337_Wannabe on May 17, 2024, who reported it to Wordfenceā€™s Bug Bounty Program. Consequently, Wordfence informed Xootix, the plugin developers, on May 27, 2024, following which a patch was released on May 28, 2024.

How is your WordPress site at risk?

Your WordPress site is at risk if it runs the Login/Signup Popup plugin v2.7.1 or v2.7.2.

Imagine youā€™ve installed the most advanced security system in your house but accidentally left a spare key under the doormat. Thatā€™s a lot like what happened with the vulnerability in the Login/Signup Popup plugin. It’s akin to inviting trouble unwittingly.

In simple terms, an ordinary user could upgrade their access to an administrator level without your consent, effectively giving themselves full control of your digital domain.

But this isn’t just about unauthorized access; it places the entire security of your site in jeopardy. The potential damage is massive, comparable to giving an intruder free rein in your home. With administrator privileges, they can:

  • Disrupt your website, affecting other sites and potentially causing Google to blacklist your site and/or penalize you.
  • Exploit your site for cryptocurrency mining, which can severely slow it down or even make it crash.
  • Flood your visitors with intrusive or deceptive emails, undermining their trust in your site.
  • Redirect your visitors to malicious websites.
  • Install a backdoor for repeated access, even after you think you’ve resolved the issue.
  • Ruin your site to the extent that youā€™d have to rebuild it, hoping you have a backup available.

We strongly recommend that you update the Login/Signup Popup plugin on your WordPress site immediately, at least to v2.7.3, regardless of whether you are a MalCare user or not! Doing so will safeguard your site, protect your reputation, and maintain your visitors’ trust.

How to clean your site?

If your WordPress site is compromised, here are some practical steps to recover and bolster your siteā€™s security:

  1. Initiate a MalCare scan: Use MalCare to quickly eliminate any malware and fortify your site against future attacks with its Atomic Security feature.
  2. Update plugins and themes: Regularly check and update all your plugins and themes, particularly the User Registration plugin. Older versions might contain vulnerabilities that hackers exploit. MalCareā€™s dashboard alerts you about outdated plugins and themes, simplifying maintenance and enhancing site security.
  3. Review user roles and permissions: Assess the roles and permissions assigned to all users. Immediately revoke access if anything seems suspicious.
  4. Refresh WordPress salts and security keys: This process will force all users to log out and terminate active sessions, thereby enhancing your siteā€™s security. MalCare includes this step in its cleanup routine for added convenience.
  5. Change login credentials: Promptly update your admin password. Ensure all user sessions are terminated, advise users to change their passwords, and encourage the use of strong, new passwords.
  6. Enhance login security: Implement two-factor authentication (2FA) and limit login attempts to reduce the risk of unauthorized access.
  7. Continuously monitor your site: MalCare handles this by continuously monitoring your site for any unusual activities, providing alerts for potential threats, and persistently scanning for malware.

How does MalCare protect your site?

Beyond Atomic Security, MalCare ensures comprehensive security for your WordPress site with an array of essential features, such as:

  1. Rapid malware detection and cleanup: MalCare performs daily scans of your site, automatically identifying any malware. If malware is found, its powerful removal tool swiftly eradicates it, restoring your siteā€™s security and health.
  2. Vulnerability scanning: MalCare continuously monitors your plugins and themes for potential vulnerabilities. When issues are detected, it promptly alerts you, allowing you to reinforce your siteā€™s defenses.
  3. Bot protection: Understanding the detrimental effects bots can have on your siteā€™s performance, MalCare implements robust defenses to prevent bot interference, ensuring the smooth operation of your site.
  4. Reliable backups: MalCareā€™s automated, offsite backup system prepares you for any eventuality. These backups act as a safety net, enabling quick recovery if any problems arise.

MalCare wraps your WordPress site in a protective shield, combining proactive measures with strong defenses to maintain your siteā€™s security and integrity.

Category:

You may also like


wordpress images not loading feature image
8 Quick Fixes for WordPress Images Not Loading

When WordPress images fail to load, you might see empty spaces where images should be. This can leave visitors wondering whatā€™s wrong or give your site an unprofessional look. Much…

wordpress high CPU usage feature image
Fix WordPress High CPU Usage in 10 Easy Ways

Are you getting alerts from your host about CPU spikes? Have visitors commented on slow loading times?  These are all signs of high CPU strain. When combined with other WordPress…

wordpress permalinks not working error feature image
7 Ways to Fix WordPress Permalinks Not Working

Permalinks are the human-friendly URLs you see on WordPress sites. They help people find pages and posts easily. They keep things clear and tidy. They are like street signs for…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.