WebARX researchers warn that the popular WordPress Popup Builder plugin (full name: Popup Builder - Responsive WordPress Pop up - Subscription & Newsletter) installed on more than 200,000 sites could be used to perform various malicious actions, including sending spam.

Problems were found in all versions of the plugin up to Popup Builder 3.71, and have now been fixed by the developers.

The experts write that the root of all the problems lay in the lack of authorization for most AJAX methods. As a result, these flaws could be exploited for sending arbitrary newsletters, local file inclusion attacks, importing or removing subscribers, and other malicious actions.

Researchers urge everyone to update Popup Builder as soon as possible.

Source: xaker.ru