WordPress Slick Popup Backdoor Vulnerability

The Slick-Popup plugin for WordPress sites has been compromised by hackers who can enable a backdoor administrator account with hardcoded credentials according to Wordfence. The Slick Popup enables website administrators to customize the Contact Form 7 plugin and place it anywhere on a website.   

Experts Comments:

Usman Rahim, Digital Security and Operations Manager at The Media Trust:  

“Attacks on the digital supply chain are on the rise because they give hackers more bang for their buck. By attacking one developer, a hacker gains access to users of multiple websites. What’s more, these developers tend to be soft targets—testing for security and privacy is not a distinguishing feature of their development lifecycle. But the ultimate victims of such attacks are consumers whose data are being traded and used for a variety of fraud and theft. It’s time for businesses to take online security and privacy more seriously. If we’ve learned anything from the UK’s General Data Privacy Regulation (GDPR), it’s that consumers are fed up and will be happy to flex their newfound privacy rights. And when they do, smaller developers that operate on thinner margins will feel the brunt of new data privacy laws like California Consumer Privacy Act (CCPA). 

Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks: 

It seems that in an earlier version of the plugin, the source code did contain the unusable credentials YOURUSERNAME/YOURPASSWORD hardcoded and a safety check that these values have been changed by the site administrator or else the plugin would throw an error. But in the most recent version published, those dummy values have been changed to the hardcoded values slickpopupteam/OmakPass13#, rendering the safety check useless.  

This vulnerability is unsettling at multiple levels. First of all, I am appalled at why did the developer leave a backdoor account with a hardcoded username and password in the publicly released version of the plugin, where anyone can see those values. Secondly, I am surprised at the reaction of the developer not to provide a fix for the free version given it is open source, and only provide it for the paid subscribers. Thirdly, this goes a long way to highlight the misconception that because a software is open source, it must be safe to use. You really have to do your leg work before integrating a third party package in your solution, and that includes not only looking for potential gaps in the downloaded version, but also in the security posture of the provider to avoid any future supply chain attack.