Description

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more is prone to multiple vulnerabilities, including security bypass and information disclosure vulnerabilities. Exploiting these issues could allow an attacker to perform otherwise restricted actions and subsequently enable/disable popups, or to obtain sensitive information which could aid in launching further attacks. WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more version 1.17.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.18.0 or latest

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/popup-maker/popup-maker-1171-missing-authorization-via-save-popup-enabled-state

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/popup-maker/popup-maker-1171-sensitive-data-exposure-via-debug-log-file

https://plugins.svn.wordpress.org/popup-maker/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin Backup, Restore and Migrate WordPress Sites With the XCloner Cross-Site Scripting (3.1.2)

WordPress Plugin Calendar Event Multi View Multiple Vulnerabilities (1.1.4)

Drupal Core 8.5.x Cross-Site Scripting (8.5.0 - 8.5.14)

WordPress Plugin NextScripts:Social Networks Auto-Poster Cross-Site Scripting (3.4.17)

WordPress Plugin Child Theme Creator by Orbisius Arbitrary File Modification (1.2.6)

Severity

High

Classification

CVE-2022-47597 CWE-200 CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update