The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
References
Configurations
History
30 Oct 2024, 21:11
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:themehunk:wp_popup_builder:*:*:*:*:*:wordpress:*:* | |
First Time |
Themehunk
Themehunk wp Popup Builder |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | () https://plugins.trac.wordpress.org/changeset/3166506/wp-popup-builder - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/0cac1dc0-87dc-43eb-9db1-638a91200b43?source=cve - Third Party Advisory |
16 Oct 2024, 16:38
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
16 Oct 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-16 08:15
Updated : 2024-10-30 21:11
NVD link : CVE-2024-9061
Mitre link : CVE-2024-9061
CVE.ORG link : CVE-2024-9061
JSON object : View
Products Affected
themehunk
- wp_popup_builder
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')