Vulnerabilities (CVE)

Filtered by vendor Themehunk Subscribe
Filtered by product Wp Popup Builder
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-9061 1 Themehunk 1 Wp Popup Builder 2024-10-30 N/A 9.8 CRITICAL
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
CVE-2022-2404 1 Themehunk 1 Wp Popup Builder 2024-02-28 N/A 6.1 MEDIUM
The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
CVE-2022-2405 1 Themehunk 1 Wp Popup Builder 2024-02-28 N/A 4.3 MEDIUM
The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup