CVE-2022-0424
published 2022-05-09CVE-2022-0424: The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers…
PriorityP340medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
2.69%
84.0th percentile
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| supsystic | popup | < 1.10.9 | 1.10.9 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
nuclei·CVSS 5.3
CVE-2022-0424 [MEDIUM] Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
Template:
id: CVE-2022-0424
info:
name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
author: s4e-io
severity: medium
description: |
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
impact: |
Unauthenticated attackers can obtain email addresses of all subscribed users via an unprotected AJAX endpoint, potentially faci
No writeups or analysis indexed.
2022-05-09
Published