Convert Plus WordPress Plugin Vulnerability Exploit [FIXED]

Convert Plus WordPress Plugin Vulnerability Exploit

In our earlier posts last week, we covered various vulnerable plugins which were exploited by hackers such as Zero-day Vulnerability in WordPress Yellow Pencil Plugin, Vulnerability In Social Warfare Plugin, &  in WordPress Easy WP SMTP Plugin which were all fixed. If vulnerable plugins are left outdated and not patched, it can lead to getting your wordpress site hacked.

Type – Unauthenticated Administrator Creation


  • May 24 – Vulnerability discovered.
  • May 28 – Patch released by developers.

The WordPress plugin Convert Plus a commercial plugin for WordPress websites having more than 1 lacs active installations is affected by a critical flaw that could be exploited by an unauthenticated attacker to create accounts with administrator privileges.

This flaw permitted unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts. this problem was told privately to the plugin’s development team, who announced a patch just a few days later.

Convert Plus (formerly convertplug) versions up to 3.4.2 are vulnerable to attacks against this flaw. All Convert Plus users should update to version 3.4.3 immediately, as this is a critical security issue.

Convert Plus – A WordPress Popup Plugin For More Email Subscribers

click to view full image

Convert Plus is a lead generation WordPress plugin used to display marketing popups, info bars, and other features to a site’s visitors with several calls-to action like email subscription and coupon codes.

  • With over 10+ Display positions, Convert Plus lets you utilize any location on screen.
  • Lets you seamlessly embed lead capture forms at prominent locations on your website.
  • Synchronizes with external sources generating more targeted & segmented email lists.
  • Allows you to display the right message & the right time, tracking visitors interaction on your website.

Convert Plus was established to make websites more appealing and for calling visitors to action. The proposed effect is to increase the user base and sales conversions, and it is accomplished through various call-to-action elements on the page.

How Does Convert Plus Plugin Flaw Lets Attackers Become a WordPress Admin?

When drafting a form for giving new subscribers, admin can define a WordPress user role to be associated with the email address provided.

By default this value is None and no user is created, but the site’s owner can have these forms create new Subscriber accounts, or any other role they’d like.

The exception is the Administrator role: the plugin removes it from the list of available roles when generating the dropdown menu.

global $wp_roles;
$roles = $wp_roles->get_names();
$user_arr = array();
foreach ( $roles as $rkey => $rvalue ) {
$user_arr [ $rvalue ] = $rvalue;
$first_item = array( 'None' );
$new_arr = $user_arr;
unset( $new_arr['Administrator'] );
$new_arr = $first_item + $new_arr;

However, in vulnerable versions of the plugin, this intended user role wasn’t available from the database on submission. Instead, this setting was mirrored in a hidden field on the plugin’s forms called cp_set_user.

Because this value is provided by the same HTTP request as the rest of the subscription entry, it can be modified by the user.

// Add subscriber as new user role to site.
 $new_role = isset( $_POST['cp_set_user'] ) ? $_POST['cp_set_user'] : 'None';
 if ( 'success' === $status && ! $only_conversion ) {
 if ( '1' === $sub_optin || 1 === $sub_optin ) {
 $list_name = str_replace( 'cp_connects_', '', $data_option );
 $list_name = str_replace( '_', ' ', $list_name );
 $page_url = isset( $cp_settings['cp-page-url'] ) ? $cp_settings['cp-email-body'] : '';
 $style_name = isset( $_POST['cp_module_name'] ) ? esc_attr( $_POST['cp_module_name'] ) : '';
 cp_notify_sub_to_admin( $list_name, $param, $sub_email, $email_sub, $email_body, $cp_page_url, $style_name );
 if ( '' !== $new_role && ( 'None' !== $new_role && 'none' !== $new_role ) ) {
 cp_add_new_user_role( $param, $new_role );

This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the task of creating the user as instructed.

Since no filtering is applied when this new subscription is completed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address.

The new account is given a randomized password, but the attacker can issue a typical password reset to get access to their fake administrator account.

Convert plus vulnerability patched [fixed]

security-update-convert plus wordpress plugin

Since Convert Plus is added on CodeCanyon, it might take a while for the updated version of the plugin to be available for download. Therefore, in such cases, they have released an automatic update that one can access through the WordPress backend.

We highly recommend all users to activate their license, so that they do not miss on such update notifications and can update Convert Plus with a single click.

Wrap Up

Having said this, we assure continuous assistance and commitment to providing quality and security even stronger. We are constantly working to make sure that various WordPress plugins are secure and reliable.

In this post we shared information on a vital security hitch just recently patched in the popular Convert Plus plugin for WordPress. This vulnerability has been patched as of version 3.4.3 of the plugin, and it’s significant that all impacted users patch as soon as possible.
As always, monitor your network for activity associated with this flaw and update

wordpress scan

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)