CVE-2024-2544 — Missing Authorization in Popup Builder

CWE-862 — Missing Authorization3 documents3 sources

Severity

6.4MEDIUMNVD

CNA7.4

EPSS

0.1%

top 68.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sygnoos Popup Builder

Timeline

PublishedJun 15

Description

The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages1 packages

▶NVDsygnoos/popup_builder< 4.3.2

Patches

Patch: plugins.trac.wordpress.org ↗Patch: www.wordfence.com ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-f6rh-pgcv-pqrj: The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJ↗2024-06-15

▶

CVEList

Popup Builder <= 4.3.0 - Missing Authorization in Multiple AJAX Actions↗2024-06-15

▶