Experts from Defiant discovered an issue in the Slick Popup WordPress plugin that could allow attackers to infiltrate vulnerable sites and create backdoor accounts. All versions of the plugin are affected by the problem, including the latest 1.7.1.
Defiant researchers have noticed that Slick Popup contains dangerous functionality that, if contacted by technical support, allows the user of the plugin to provide access to it to Om Ak Solutions specialists. The problem is that this uses a special account with the same credentials for all installations: slickpopupteam / OmakPass13#.
Experts fear that attackers could easily list all sites using Slick Popup and then check if they have special support accounts. Using this access, the attackers will be able to create other accounts for themselves, leaving a backdoor on the site. Moreover, the access level of the attacking user is unimportant, even a simple Subscriber can create a backdoor.
Currently, the developers of Om Ak Solutions have prepared a patch only for the paid version of the plugin, then as the free version is still vulnerable (although temporarily unavailable for download). As a result, Defiant experts strongly recommend that users temporarily disable or remove Slick Popup altogether. However, there is a third option: disable the access function for technical support (action_splite_support_access AJAX), thereby limiting the creation of new accounts. However, researchers warn that this will not help get rid of an already existing backdoor account.