Vulnerability Details CVE-2024-9061
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.798
EPSS Ranking 99.0%
CVSS Severity
CVSS v3 Score 7.3
References
Products affected by CVE-2024-9061
-
cpe:2.3:a:themehunk:wp_popup_builder:-
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.0
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.1
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.2
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.3
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.4
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.5
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.6
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.7
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.8
-
cpe:2.3:a:themehunk:wp_popup_builder:1.0.9
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.0
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.1
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.10
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.11
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.12
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.13
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.14
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.2
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.3
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.4
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.5
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.6
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.7
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.8
-
cpe:2.3:a:themehunk:wp_popup_builder:1.1.9
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.0
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.1
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.2
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.3
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.4
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.5
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.6
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.7
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.8
-
cpe:2.3:a:themehunk:wp_popup_builder:1.2.9
-
cpe:2.3:a:themehunk:wp_popup_builder:1.3.0
-
cpe:2.3:a:themehunk:wp_popup_builder:1.3.1
-
cpe:2.3:a:themehunk:wp_popup_builder:1.3.2
-
cpe:2.3:a:themehunk:wp_popup_builder:1.3.3
-
cpe:2.3:a:themehunk:wp_popup_builder:1.3.4
-
cpe:2.3:a:themehunk:wp_popup_builder:1.3.5