Another Security Alert (again)

Came here for the same issue. I will probably choose to uninstall for now.

While any vulnerability is not ideal, keep in mind this one requires “authenticated attackers, with administrator-level permissions”. If you are already an administrator, you can do pretty much anything you want. So if you are worried about your administrators, you have other problems. It certainly is not great, but it’s good to have a little perspective. I hope the authors patch and do additional review. This plugin where some issues are known and patched is better than another unknown one!

In the description it says “makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.” That is also what happens if you give someone an administrator-level account.

Finally, this only affects multi-site installations and installations where unfiltered_html has been disabled. That has to be a small number of total installations as a percentage.

Just trying to throw some perspective in here. Maybe I’m seeing it incorrectly but these “authenticated attackers, with administrator-level permissions” issues do not scare me as much as allowing people to be administrator-level to begin with.

Hi, @boblindner, thank you for the perspective and clarifications. I do understand that this specific issue that WordFence has flagged may not be a “big concern” for you (or others), my concern is that this is not the 1st issue that WF flagged for this plugin. The previous issue (in the link I provided for my other post) was fixed but now ANOTHER problem is being flagged by WF. And, my main concern is that I was actually about to upgrade this Free Plugin to one of their Paid Extensions (which is built on this free version), but I do not have confidence at this point in time with doing a paid upgrade from a free plugin that is compromised.

The continued and/or additional compromises that keep being found by WF is what I am concerned about, specifically (and not this specific issue in this particular instance). If the Plugin Author(s) are not able to maintain a secure plugin, then I will have to not upgrade to their Paid Extension and remove this Free version – however, I am trying to be patient with them and have been waiting for over a week for a response on this specific thread….I do want them to fix this issue (and maintain a secure plugin) so that I can have peace-of-mind that when I pay for the Paid Extension, it will also be maintained and secure. Right now, my confidence is waning…

Those are very good points. Especially the premium add-ons that do not have the ability to get public scrutiny. Hopefully, the authors will apply this hard-earned knowledge to all of their programming.

Hi All,

Thank you for bringing this matter to our attention, and we sincerely apologize for any inconvenience this security alert may have caused you. We take the security of our products seriously and greatly appreciate your vigilance in reporting these issues.

Upon reviewing the information you provided and the WordFence security alert, we understand your concerns regarding the security of our plugin. Our development team is actively addressing this issue and working to provide a fixed/patched upgrade as soon as possible to resolve the security vulnerability. We are also taking into consideration the feedback from other users in the WordPress community who have raised similar concerns.

Rest assured, we are committed to maintaining a secure plugin and ensuring that our users can trust our products, both free and premium.

If you have any further questions or concerns, please do not hesitate to reach out to us. We will keep you updated on our progress in addressing this security vulnerability.

Thank you for choosing Popup Builder, and we look forward to regaining your confidence in our plugin’s security.

Best regards,

Hi, @jawada, thank you for the detailed response. Do you have an ETA for when this plugin will be secured again? Please advise.

Hi

We apologize for the dealy caused. We are pleased to inform you that the security vulnerability you reported has been addressed and resolved in our latest update, version 4.2.2. I will now mark this thread as resolved. If you require further assistance or have any additional questions, please don’t hesitate to contact us through our support portal. Our team is always here to help!

https://help.popup-builder.com/en/

Sincerely,

Hi+

Thank you so much! I appreciate your time & efforts on this!

This is great to hear as we want to use this plugin for another campaign on our site asap. Appreciate the transparency and quick response from the developers.