On March 4, researchers discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites, including one that allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded.
The other vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of all newsletter subscribers, export system configuration information, and grant themselves access to various features of the plugin.
The client -side is the new battleground and JavaScript is the attack surface. Over 70% of the scripts on a typical website are third-party. Platforms like WordPress greatly simplify the process of building a website, and have over 50,000 third-party plugins available for many commonly used functions. However, these can also be exploited by hackers to inject malicious JavaScript into thousands of websites in one stroke. This malicious code can be used to steal customer data such as credit card numbers, hijack users to alternate sites, or even gain complete admin control over a website by stealing credentials.
Digital skimming and Magecart attacks are popular because the stolen data can be readily sold on the dark web, along with authentication information like CVV codes, zip codes and phone numbers. With data privacy regulations like CCPA and GDPR raising the stakes, businesses must exercise extreme caution before installing third-party plugins on their website, and must ensure they stay up to date with security patches.