Zero-day vulnerability fixed in WordPress Login/Signup Popup plugin.

The WordPress Login/Signup Popup plugin, which has 10,000+ active installations, fixed a zero-day vulnerability affecting version 1.4 and below.

A lack of capability checks and security nonce allows any authenticated user to inject, via the AJAX API, JavaScript code into the plugin’s settings and to use it to target the administrator in the backend of WordPress. The vulnerability has been exploited for a couple of days.

Timeline

The vulnerability was reported on May 14th, 2020 to the author who immediately released a quick fix (version 1.5).

Recommendations

Upgrade immediately if you have version 1.4 or below.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities