Privilege Escalation Flaw Present In Slick Popup Plugin

In April, our Threat Intelligence team identified a privilege escalation flaw present in the latest version of Slick Popup, a WordPress plugin with approximately 7,000 active installs. We notified the developers, a firm called Om Ak Solutions, who acknowledged the issue and informed us that a patch would be released.

Per our disclosure policy, we allowed 30 days for resolution of this issue before releasing details to the public. Unfortunately, the deadline has passed without a satisfactory patch by the plugin’s developers. At this time, all version of Slick Popup up to 1.7.1 are vulnerable.

In this post we’ll look at the vulnerability in question and what you should do if you’re making use of the plugin.

Subscriber+ Privilege Escalation Flaw In Support Access Feature

One feature of Slick Popup is the ability to grant support access to the plugin’s developers, Om Ak Solutions, with one click in the dashboard. This generates a new administrator account and sends an email to Om Ak Solutions with details. Two issues in this process combine to create the privilege escalation vulnerability in question.

// ADD NEW ADMIN USER TO WORDPRESS
// ----------------------------------
// Put this file in your WordPress root directory and run it from your browser.
// Delete it when you're done.
//require_once(ABSPATH . 'wp-blog-header.php');
//require_once(ABSPATH . 'wp-includes/registration.php');
// ----------------------------------------------------
// CONFIG VARIABLES
// Make sure that you set these before running the file.
$newusername = 'slickpopupteam';
$newpassword = 'OmakPass13#';
$newemail = 'poke@slickpopup.com';
// ----------------------------------------------------
// This is just a security precaution, to make sure the above "Config Variables" 
// have been changed from their default values.
if ( $newpassword != 'YOURPASSWORD' &&
	 $newemail != 'YOUREMAIL@TEST.com' &&
	 $newusername !='YOURUSERNAME' )
{
	// Check that user doesn't already exist
	if ( !username_exists($newusername) && !email_exists($newemail) )
	{
		// Create user and set role to administrator
		$user_id = wp_create_user( $newusername, $newpassword, $newemail);
		if ( is_int($user_id) )
		{
			$wp_user_object = new WP_User($user_id);
			$wp_user_object->set_role('administrator');

First, the credentials associated with this new administrative account are hard-coded into the plugin. When the user is created, it will have the username slickpopupteam and its password is OmakPass13#. Since this is a known value in all cases, it’s possible for malicious actors to assemble a list of sites making use of the plugin and occasionally test for the presence of this support user. Once logged in, they’re free to create other backdoors independent of this user.

add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );
function action_splite_support_access() {
	$ajaxy = array(); 
	$errors = array(); 
	
	$todo = (isset($_POST['todo']) AND !empty($_POST['todo'])) ? $_POST['todo'] : 'createuser'; 

However, attackers with at least Subscriber access to an affected site can create this user on their own. Since the AJAX action used to generate this user doesn’t contain any capabilities checks, it can be accessed by any logged-in user. This, combined with the hard-coded credentials in the plugin, means any user with an account can grant themselves administrative access and take over a site.

During our research we identified that the user creation script used by this plugin is somewhat popular, and can be found in several GitHub gists like this one. We searched the WordPress.org plugin repository for other uses of this script and found another one of Om Ak Solution’s plugins, Contact Form 7 Spam Blocker. We included this additional plugin in our report to the developer.

Private Disclosure Timeline

  • April 22 – Vulnerability disclosed to Om Ak Solutions.
  • April 25 – WAF rule released to protect Wordfence Premium users from attacks on this flaw.
  • April 27 – Developer acknowledges issue and states a patch will be released
  • May 14 – Slick Popup version 1.7.1 released – issue unresolved in this patch.
  • May 22 – Public disclosure deadline.
  • May 25 – WAF rule released for free users.

Shortly before the writing of this article, a representative of Om Ak Solutions claimed a patch has been released for the Pro version of Slick Popup and that a patch for the free version is in progress. The reported patch of the Pro version has not been tested by the Wordfence team at this time.

Next Steps

As mentioned above, Slick Popup versions up to and including 1.7.1 are vulnerable. It is our recommendation that users of the plugin deactivate or delete the plugin until a patch is available.

However, it’s possible to deactivate the vulnerable Support Access feature on current versions of the plugin without affecting the rest of the plugin’s functionality. Doing this requires making a small change to the plugin’s files, and you should note a few things beforehand:

  • This will break the plugin’s ability to grant support access to Om Ak Solutions.
  • Any updates to the plugin will overwrite this change and reactivate the feature.
  • This will not remove an existing slickpopupteam user, legitimate or otherwise. That will need to be done manually if one is present.
  • We cannot provide support for implementing this short-term fix, nor can we assist with other issues that may arise during the process.

To prevent the creation of these users, all you need to do is comment out the line where the action_splite_support_access AJAX action is registered. In the latest version of the plugin, this is on line 523 of the file /libs/admin-pages.php.

Before:

add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );

After:

//add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );

Conclusion

In this post, we detailed an unpatched privilege escalation flaw in the Slick Popup plugin which allows subscribers to gain administrative access to an affected WordPress site. Because of the relatively small userbase of the plugin, and the authentication necessary to exploit it, we do not anticipate widespread attack campaigns leveraging this vulnerability. A Firewall rule to protect against attempts to exploit this vulnerability was released on April 25th and is currently available for sites running Wordfence Premium as well as the free version.

Did you enjoy this post? Share it!

Comments

2 Comments
  • The new versions have been released. The said flaw is completely removed from the new version.

  • This is untested, but you could add this to your theme's functions.php file to remove the support access feature and it would persist through future updates of the plugin (better than editing the plugin's source):

    `
    remove_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );
    `