Hackers subscribed to WordPress websites running Slick Popup plugin can take over the website by enabling a backdoor administrator account with hardcoded credentials.
The vulnerability is active at the moment and affects all versions of the plugin up to 1.7.1 - which is currently the latest release, as the developer has not come up with a fix a month after acknowledging it.
Logged-in users can create accounts
Security professionals at Defiant, the maker of Wordfence firewall, discovered that Slick Popup has a feature that allows site owners to grant access to plugin's developer.
This happens by generating an administrator account and alerting Om Ak Solutions an email with the details. The credentials for the new account are the same (slickpopupteam / OmakPass13#) for all websites that run Slick Popup.
"Since this is a known value in all cases, it’s possible for malicious actors to assemble a list of sites making use of the plugin and occasionally test for the presence of this support user. Once logged in, they’re free to create other backdoors independent of this user," says Michael Veenstra, threat analyst at Defiant.
The "logged in" state does not need to be for a user with elevated privileges. Veenstra explains that an attacker with at least Subscriber access to an affected website can activate the backdoor account.
This is possible because generating the account relies on AJAX action that does not come with any verification capabilities. As such, any user that is logged into a vulnerable website can create other accounts.
Om Ak Solutions contacted Defiant saying that a patch is available for the paid version of the plugin while a fix is in the works for the free release.
Multiple solutions at hand
Deactivating or deleting the plugin are two recommendations to ensure that a website running it remains safe.
However, there is a third option that deactivates the support access feature and maintains the functionality of the plugin. This will also disable the possibility to create new user accounts. All it takes is comment out the following line:
Admins need to note that this does not remove a backdoor account that already exists - it can be removed manually, and updating the plugin overwrites the change.
Defiant first notified Om Ak Solutions of the vulnerability on April 22 and five days later received a reply that acknowledged the issue.
The current version of Slick Popup, 1.7.1 was released on May 14 but it does not include a fix for the reported problem. Defiant has a disclosure policy that allows vendors 30 days to deal with the issue before the details become publicly available.