Defiant experts have [discovered a] problem in the Slick Popup WordPress plugin, due to which attackers can penetrate vulnerable sites and create backdoor accounts. All versions of the plugin are subject to the problem, including the latest 1.7.1.
The Slick Popup plugin has more than 7,000 installations and was developed by Om Ak Solutions. Slick Popup is designed to work in conjunction with another popular WordPress solution – Contact Form 7.
Defiant’s researchers noticed that dangerous functionality is present in Slick Popup, in case of contacting technical support, allowing the plug-in user to provide access to it to Om Ak Solutions specialists. The problem is that for this purpose a special account is used with the same credentials for all installations: slickpopupteam / OmakPass13 #.
Experts fear that attackers can easily compile lists of all sites using Slick Popup, and then check if there are special accounts for technical support. Using this access, the attackers will be able to create other accounts for themselves, leaving a backdoor on the site. And the level of access of an attacking user is unimportant, even a simple Subscriber (Subscriber) can create a backdoor.