Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-17574

CWE-639Insecure Direct Object Reference5 documents5 sources
Severity
9.1CRITICAL
EPSS
86.9%
top 0.57%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Code-atlantic Popup Maker
Timeline
PublishedOct 14
Latest updateMay 24

Description

An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-4hv6-wvv9-jh2f: An issue was discovered in the Popup Maker plugin before 12022-05-24
CVEList
CVE-2019-17574: An issue was discovered in the Popup Maker plugin before 12019-10-14
VulnCheck
code-atlantic popup_maker Authorization Bypass Through User-Controlled Key2019

💥Exploits & PoCs

1
Nuclei
Popup-Maker < 1.8.12 - Broken Authentication
CVE-2019-17574 (CRITICAL CVSS 9.1) | An issue was discovered in the Popu | cvebase.io