CVE-2014-9525
Timed Popup 1.3 - Cross-Site Request Forgery via Plugin Settings
Title source: llmDescription
Multiple cross-site request forgery (CSRF) vulnerabilities in the Timed Popup (wp-timed-popup) plugin 1.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or (2) conduct cross-site scripting (XSS) attacks via the sc_popup_subtitle parameter in the wp-popup.php page to wp-admin/options-general.php.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99377
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99376
Exploit x_refsource_misc
http://packetstormsecurity.com/files/129510/WordPress-Timed-Popup-1.3-CSRF-XSS.html
Scores
EPSS
0.0115
EPSS Percentile
63.1%
Details
CWE
CWE-352
Status
published
Products (1)
timed_popup_project/timed_popup
1.3
Published
Jan 05, 2015
Tracked Since
Feb 18, 2026