CVE-2022-0424

MEDIUM NUCLEI

The Popup by Supsystic WordPress <1.10.9 - Info Disclosure

Title source: llm

Description

The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users

Exploits (1)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2022/CVE-2022-0424.md

View Code ZIP pw:eip

Nuclei Templates (1)

Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure

MEDIUMVERIFIEDby s4e-io

Shodan: http.html:/wp-content/plugins/popup-by-supsystic

FOFA: body=/wp-content/plugins/popup-by-supsystic

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f

Scores

CVSS v3 5.3

EPSS 0.4197

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-306

Status published

Products (1)

supsystic/popup < 1.10.9

Published May 09, 2022

Tracked Since Feb 18, 2026