CVE-2024-2544
HIGHPopup Builder < 4.3.2 - Authenticated Data Modification and Deletion via Missing Capability Check
Title source: llmDescription
The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/04802c63-4a5d-4948-9ef1-cf89c4cc757e?source=cve
Scores
CVSS v3
7.4
EPSS
0.0027
EPSS Percentile
18.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
popupbuilder/Popup Builder – Create highly converting, mobile friendly marketing popups.
< 4.3.0
sygnoos/popup_builder
< 4.3.2
Published
Jun 15, 2024
Tracked Since
Feb 18, 2026