Weekly WordPress News: Major Vulnerability in WordPress Popup Maker Affects Over 700,000 Websites

The U.S. government National Vulnerability Database issued an advisory about a Stored Cross-Site Scripting vulnerability in the popular Popup Maker plugin for WordPress.

Popup Maker for WordPress:
A vulnerability was discovered in the “Popup Maker” WordPress plugin, which is installed in over 700,000 websites. This plugin integrates with many contact forms and is designed to drive conversions in WooCommerce stores and email newsletter signups. Despite being released in 2021, it has earned over 4,000 five-star reviews.

Popup Maker Vulnerability:
This plugin is vulnerable to stored cross-site scripting (XSS). A malicious script is uploaded to the server and stored there, hence the name “stored.” XSS vulnerabilities occur when input data is not properly sanitised, resulting in a lack of control over what can be uploaded. This vulnerability can be exploited if a hacker gains access to a user with at least contributor-level credentials.

Cause & Solution:
Stored XSS vulnerabilities can have severe consequences, including site takeover and user data exposure. There was an update to fix the issue, but a bug was introduced in the patch. To avoid problems, update to the latest version (V1.17.1).

WORDPRESS NEWS AND ARTICLES

• https://wordpress.org/news/2022/12/episode-46-the-wp-bloopers-podcast/ – Episode 46: The WP Bloopers Podcast
• https://wptavern.com/linux-backdoor-malware-targets-wordpress-sites-with-outdated-vulnerable-themes-and-plugins – Linux Backdoor Malware Targets WordPress Sites with Outdated, Vulnerable Themes and Plugins
• https://wptavern.com/podcast/57-damon-cook-on-the-future-of-website-styling-in-wordpress – Damon Cook on the Future of Website Styling in WordPress
• https://poststatus.com/on-the-fediverse-wordpress-and-activity-pub-with-matthias-pfefferle-post-status-draft-135/ – On The Fediverse, WordPress, And Activity Pub With Matthias Pfefferle
• https://wptavern.com/awesome-motive-acquires-duplicator-plugin – Awesome Motive Acquires Duplicator Plugin
• https://poststatus.com/wordpress-6-2-schedule-2022-in-core-block-developer-year-in-review-new-incident-response-team/ – WordPress 6.2 Schedule • 2022 in Core • Block Developer Year in Review • New Incident Response Team

TUTORIALS AND HOW-TOS

• https://www.wpbeginner.com/wp-tutorials/how-to-host-local-fonts-in-wordpress-for-a-faster-website/ – How to Host Local Fonts in WordPress for a Faster Website
• https://www.wpbeginner.com/wp-tutorials/how-to-easily-embed-instagram-in-wordpress-with-oembed/ – How to Easily Embed Instagram in WordPress (Step by Step)
• https://yoast.com/how-to-check-site-speed/ – How to check page speed: tools and suggestions
• https://www.elegantthemes.com/blog/wordpress/password-protect-page-wordpress – How to Password Protect a Page in WordPress
• https://code.tutsplus.com/articles/how-to-enable-digital-downloads-in-woocommerce–cms-93648 – How to Enable Digital Downloads in WooCommerce
• https://www.wpbeginner.com/wp-tutorials/boost-your-likes-by-creating-a-facebook-giveaway-using-wordpress/ – How to Add a Facebook Giveaway in WordPress to Boost Engagement

RESOURCES

• https://www.wpbeginner.com/beginners-guide/seo-title-vs-h1-post-title-in-wordpress-whats-the-difference/ – SEO Title vs H1 Post Title in WordPress: What’s the Difference?
• https://yoast.com/seo-in-the-new-year/ – SEO in 2023: Your chance to shine!
• https://www.wpbeginner.com/beginners-guide/why-blog-benefits-of-blogging/ – Why Blog? 14 Benefits of Blogging in 2023
• https://www.elegantthemes.com/blog/wordpress/best-wordpress-cache-plugins – 8 Best WordPress Cache Plugins (in 2023)
• https://www.elegantthemes.com/blog/wordpress/best-woocommerce-seo-plugins – 6 Best WooCommerce SEO Plugins for 2023
• https://www.sitesaga.com/best-web-hosting-for-seo/ – Best Web Hosting for SEO 2023- Top 7 Providers