MalCare Defends Against Login/Signup Popup Privilege Escalation Vulnerability

Imagine realizing that your once-secure office building, with restricted access to only trusted personnel, is now accessible to unauthorized individuals who have the same executive privileges as you!

Now, imagine that office building to be your WordPress site… Scary, right?

This alarming scenario recently became a reality for websites that use the Login/Signup Popup plugin, which was hit by a critical privilege escalation vulnerability. Due to this vulnerability, any ordinary subscriber could promote themselves to an administrator level, gaining the authority to alter content, install potentially dangerous software, and overall, take full control of your site.

If you have the Login/Signup Popup plugin installed, scan your site immediately with MalCare!

What is the vulnerability?

Plugin information

• Vulnerable plugin versions: v2.7.1 and v2.7.2
• Patch release version: v2.7.3

About the vulnerability

Login/Signup Popup is a plugin that simplifies user registration, login, and password reset processes. It boasts extensive customizability for forms and has over 40,000 active installations.

The Login/Signup Popup plugin is vulnerable to privilege escalation due to improper usage of the import_settings() function in v2.7.1 and v2.7.2.

The import_settings() function is used to import the plugin’s admin settings. However, in the vulnerable version, this function lacked both capability checks and nonce checks. This omission allows authenticated attackers with subscriber-level permissions to invoke the AJAX function.

Upon further investigation, it was discovered that there are no restrictions on the option names that can be updated. Crucially, this means the settings that can be modified are not confined to the plugin’s own settings. As a result, attackers can update arbitrary options by sending direct requests to the server with chosen option names and values.

WordPress site options influence a range of settings including site URLs, general settings, registration, and user roles, among others. Like any Arbitrary Options Update vulnerability, this can facilitate a full site compromise. And this can be initiated with just Subscriber-level access. Consequently, this vulnerability has been assigned a CVSS score of 8.8 (High).

For instance, an attacker can change the default registration role to administrator and enable user registration (if it wasn’t already enabled). After altering the site options, the attacker can create an administrative account on the WordPress site. Once registered and logged in, they can manipulate the site as a normal administrator would, including uploading plugins and theme files—which might be malicious ZIP files containing backdoors—and modifying posts and pages to redirect site users to malicious sites.

Nevertheless, MalCare’s dynamic Atomic Security firewall remained proactive during the entire development process. Leveraging in-depth WordPress knowledge, it automatically updated itself to defend against the Login/Signup Popup vulnerability. As a result, our users continue to benefit from uninterrupted, robust protection.

This vulnerability has now been fixed with the release of Login/Signup Popup v2.7.3 on May 28, 2024.

Who discovered this vulnerability?

The Login/Signup Popup privilege escalation vulnerability was discovered by independent security researcher 1337_Wannabe on May 17, 2024, who reported it to Wordfence’s Bug Bounty Program. Consequently, Wordfence informed Xootix, the plugin developers, on May 27, 2024, following which a patch was released on May 28, 2024.

How is your WordPress site at risk?

Your WordPress site is at risk if it runs the Login/Signup Popup plugin v2.7.1 or v2.7.2.

Imagine you’ve installed the most advanced security system in your house but accidentally left a spare key under the doormat. That’s a lot like what happened with the vulnerability in the Login/Signup Popup plugin. It’s akin to inviting trouble unwittingly.

In simple terms, an ordinary user could upgrade their access to an administrator level without your consent, effectively giving themselves full control of your digital domain.

But this isn’t just about unauthorized access; it places the entire security of your site in jeopardy. The potential damage is massive, comparable to giving an intruder free rein in your home. With administrator privileges, they can:

We strongly recommend that you update the Login/Signup Popup plugin on your WordPress site immediately, at least to v2.7.3, regardless of whether you are a MalCare user or not! Doing so will safeguard your site, protect your reputation, and maintain your visitors’ trust.

How to clean your site?

If your WordPress site is compromised, here are some practical steps to recover and bolster your site’s security:

1. Initiate a MalCare scan: Use MalCare to quickly eliminate any malware and fortify your site against future attacks with its Atomic Security feature.
2. Update plugins and themes: Regularly check and update all your plugins and themes, particularly the User Registration plugin. Older versions might contain vulnerabilities that hackers exploit. MalCare’s dashboard alerts you about outdated plugins and themes, simplifying maintenance and enhancing site security.
3. Review user roles and permissions: Assess the roles and permissions assigned to all users. Immediately revoke access if anything seems suspicious.
4. Refresh WordPress salts and security keys: This process will force all users to log out and terminate active sessions, thereby enhancing your site’s security. MalCare includes this step in its cleanup routine for added convenience.
5. Change login credentials: Promptly update your admin password. Ensure all user sessions are terminated, advise users to change their passwords, and encourage the use of strong, new passwords.
6. Enhance login security: Implement two-factor authentication (2FA) and limit login attempts to reduce the risk of unauthorized access.
7. Continuously monitor your site: MalCare handles this by continuously monitoring your site for any unusual activities, providing alerts for potential threats, and persistently scanning for malware.

How does MalCare protect your site?

Beyond Atomic Security, MalCare ensures comprehensive security for your WordPress site with an array of essential features, such as:

1. Rapid malware detection and cleanup: MalCare performs daily scans of your site, automatically identifying any malware. If malware is found, its powerful removal tool swiftly eradicates it, restoring your site’s security and health.
2. Vulnerability scanning: MalCare continuously monitors your plugins and themes for potential vulnerabilities. When issues are detected, it promptly alerts you, allowing you to reinforce your site’s defenses.
3. Bot protection: Understanding the detrimental effects bots can have on your site’s performance, MalCare implements robust defenses to prevent bot interference, ensuring the smooth operation of your site.
4. Reliable backups: MalCare’s automated, offsite backup system prepares you for any eventuality. These backups act as a safety net, enabling quick recovery if any problems arise.

MalCare wraps your WordPress site in a protective shield, combining proactive measures with strong defenses to maintain your site’s security and integrity.