CVE-2019-17574

CRITICAL EXPLOITED NUCLEI

Code-atlantic Popup Maker < 1.8.13 - IDOR

Title source: rule

Description

An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").

Nuclei Templates (1)

Popup-Maker < 1.8.12 - Broken Authentication

CRITICALVERIFIEDby DhiyaneshDK

Shodan: http.html:/wp-content/plugins/popup-maker/

FOFA: body=/wp-content/plugins/popup-maker/

References (3)

[Exploit, Third Party Advisory] http://blog.redyops.com/wordpress-plugin-popup-maker/

[Release Notes] https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md

View Writeup ZIP pw:eip

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/9907

Scores

CVSS v3 9.1

EPSS 0.8689

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

VulnCheck KEV 2025-06-23

CWE

CWE-639

Status published

Products (1)

code-atlantic/popup_maker < 1.8.13

Published Oct 14, 2019

Tracked Since Feb 18, 2026