Defiant experts have discovered a problem in the Slick Popup WordPress plugin, due to which attackers can penetrate vulnerable sites and create backdoor accounts. All versions of the plugin are subject to the problem, including the latest 1.7.1.
The Slick Popup plugin has more than 7,000 installations and was developed by Om Ak Solutions. Slick Popup is designed to work “in conjunction” with another popular WordPress solution - Contact Form 7.
Defiant's researchers noticed that dangerous functionality is present in Slick Popup, in case of contacting technical support, allowing the plug-in user to provide access to it to Om Ak Solutions specialists. The problem is that for this purpose a special account is used with the same credentials for all installations: slickpopupteam / OmakPass13 #.
Experts fear that attackers can easily compile lists of all sites using Slick Popup, and then check if there are special accounts for technical support. Using this access, the attackers will be able to create other accounts for themselves, leaving a backdoor on the site. And the level of access of an attacking user is unimportant, even a simple Subscriber (“Subscriber”) can create a backdoor.
Currently, Om Ak Solutions developers have prepared a patch for the paid version of the plug-in only, while the free version is still vulnerable (although it is temporarily unavailable for download). As a result, Defiant experts strongly recommend that users temporarily disable or remove Slick Popup altogether. However, there is a third option: deactivate the access function for technical support (action_splite_support_access AJAX), thereby limiting the creation of new accounts. However, researchers warn that this will not help get rid of an already existing backdoor account.