CVE-2020-10195Sensitive Information Exposure in Popup Builder

CWE-200Sensitive Information Exposure3 documents3 sources
Severity
6.3MEDIUMNVD
EPSS
0.5%
top 35.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Sygnoos Popup Builder
Timeline
PublishedMar 13
Latest updateMay 24

Description

The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to in-scope privilege escalation via admin-post actions to com/classes/Actions.php. By sending a POST request to wp-admin/admin-post.php, an authenticated attacker with minimal (subscriber-level) permissions can modify the plugin's settings to allow arbitrary roles (including subscribers) access to plugin functionality by setting the action parameter to sgpbSaveSettings, export a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages1 packages

NVDsygnoos/popup_builder< 3.64.1

🔴Vulnerability Details

2
GHSA
GHSA-2cm7-996m-ffcv: The popup-builder plugin before 32022-05-24
CVEList
CVE-2020-10195: The popup-builder plugin before 32020-03-13
CVE-2020-10195 — Sensitive Information Exposure | cvebase