Level 59
Content Creator
Malware Hunter
A WordPress plugin, Slick Popup, has a serious privilege escalation flaw – and it has yet to be patched.

WordPress plugin Slick Popup, which has 7,000 active installs and provides a tool for displaying the Contact Form 7 as a popup on WordPress websites. However, researchers with Wordfence said that they found a privilege escalation flaw in all versions (up to 1.7.1) of the plugin.
“Per our disclosure policy, we allowed 30 days for resolution of this issue before releasing details to the public,” researchers said in a Tuesday post. Unfortunately, the deadline has passed without a satisfactory patch by the plugin’s developers.”

Om Ak Solutions, the developers behind Slick Popup (and several other plugins, including Contact Form 7 Spam Blocker, Floating Icons and more), have removed the plugin from the WordPress plugin repository while dealing with a fix. The developers did not respond to a request for comment from Threatpost on when specifically a patch would be released.


New Member
Om Ak Solutions claimed a patch has been released for the Pro version of Slick Popup and that a patch for the free version is in progress. The reported patch of the Pro version has not been tested by the Wordfence team at this time.