Instant Popup Builder WordPress Plugin Unauthenticated Arbitrary Shortcode Execution Vulnerability

A vulnerability allowing unauthenticated arbitrary shortcode execution has been identified in the Instant Popup Builder plugin for WordPress, affecting all versions through 1.1.7. The issue arises in the handle_email_verification_page() function, which creates a shortcode string from user-supplied GET parameters (token, email) and passes it to do_shortcode() without properly sanitizing square bracket characters. This lack of sanitation, combined with missing authorization checks, allows unauthenticated attackers to inject and execute arbitrary registered shortcodes by manipulating the token parameter.

Impact

Exploitation of this vulnerability allows for unauthenticated users to execute arbitrary shortcodes, which could lead to various impacts depending on the executed shortcode.

Reproduction

To reproduce this vulnerability, send a GET request to a WordPress site with the Instant Popup Builder plugin installed, targeting the email verification page. Include a crafted token parameter that contains a closing bracket followed by shortcode syntax. The request can be made manually or through a script that automates the process.

Remediation

Users are advised to update the Instant Popup Builder plugin to version 1.1.8 or later, where this vulnerability has been patched.