Description

WordPress Plugin Ninja Popups is prone to multiple vulnerabilities, including PHP object injection and local file inclusion vulnerabilities. Exploiting these issues could allow an attacker to possibly execute arbitrary PHP code within the context of the affected webserver process, or to obtain sensitive information that may help in further attacks. WordPress Plugin Ninja Popups version 4.5.3 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.5.4 or latest

References

http://wphutte.com/ninja-popups-4-5-3-authenticated-lfi-and-php-object-injection/

Related Vulnerabilities

PHP Use of Externally-Controlled Format String Vulnerability (CVE-2010-2950)

Java Unspesificed Vulnerability (CVE-2018-2941)

WordPress Plugin oQey Headers 'oqey_settings.php' SQL Injection (0.3)

WordPress Plugin Twitget Cross-Site Request Forgery (3.3.2)

Atlassian Jira URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2018-13401)

Severity

High

Classification

CWE-22 CWE-915 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update