Vulnerabilites related to code-atlantic - popup_maker
CVE-2022-4362 (GCVE-0-2022-4362)
Vulnerability from cvelistv5
Published
2023-01-02 21:49
Modified
2025-04-10 15:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/2660225a-e4c8-40f2-8c98-775ef2301212 | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Popup Maker |
Version: 0 < 1.16.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:34:50.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/2660225a-e4c8-40f2-8c98-775ef2301212"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4362",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T15:02:58.076112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:03:53.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Popup Maker",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.16.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tin Pham aka TF1T"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T09:08:41.499Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/2660225a-e4c8-40f2-8c98-775ef2301212"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Popup Maker \u003c 1.16.9 - Contributor+ Stored XSS via Shortcode",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4362",
"datePublished": "2023-01-02T21:49:24.966Z",
"dateReserved": "2022-12-08T11:20:28.234Z",
"dateUpdated": "2025-04-10T15:03:53.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10583 (GCVE-0-2024-10583)
Vulnerability from cvelistv5
Published
2024-12-12 06:46
Modified
2024-12-12 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_title’ parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| danieliser | Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder |
Version: * ≤ 1.20.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T15:21:25.775885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T15:45:37.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder",
"vendor": "danieliser",
"versions": [
{
"lessThanOrEqual": "1.20.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018post_title\u2019 parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T06:46:33.622Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b4dc917-0d59-4163-a613-49afc1dc4d33?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3197898%40popup-maker\u0026new=3197898%40popup-maker\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder \u003c= 1.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10583",
"datePublished": "2024-12-12T06:46:33.622Z",
"dateReserved": "2024-10-31T13:28:47.208Z",
"dateUpdated": "2024-12-12T15:45:37.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24746 (GCVE-0-2025-24746)
Vulnerability from cvelistv5
Published
2025-01-24 17:25
Modified
2025-02-12 20:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Popup Maker Popup Maker allows Stored XSS. This issue affects Popup Maker: from n/a through 1.20.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Popup Maker | Popup Maker |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T17:48:47.465504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:01:15.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-maker",
"product": "Popup Maker",
"vendor": "Popup Maker",
"versions": [
{
"changes": [
{
"at": "1.20.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.20.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "savphill (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Popup Maker Popup Maker allows Stored XSS.\u003c/p\u003e\u003cp\u003eThis issue affects Popup Maker: from n/a through 1.20.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Popup Maker Popup Maker allows Stored XSS. This issue affects Popup Maker: from n/a through 1.20.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T17:25:23.212Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/popup-maker/vulnerability/wordpress-popup-maker-plugin-1-20-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Popup Maker wordpress plugin to the latest available version (at least 1.20.3)."
}
],
"value": "Update the WordPress Popup Maker wordpress plugin to the latest available version (at least 1.20.3)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup Maker plugin \u003c= 1.20.2 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24746",
"datePublished": "2025-01-24T17:25:23.212Z",
"dateReserved": "2025-01-23T14:53:00.531Z",
"dateUpdated": "2025-02-12T20:01:15.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4381 (GCVE-0-2022-4381)
Vulnerability from cvelistv5
Published
2023-01-02 21:49
Modified
2025-04-10 15:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/8bf8ebe8-1063-492d-a0f9-2f824408d0df | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Popup Maker |
Version: 0 < 1.16.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:41:44.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/8bf8ebe8-1063-492d-a0f9-2f824408d0df"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4381",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T15:00:49.799111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:01:25.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Popup Maker",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.16.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "An Doan"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T09:08:43.236Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/8bf8ebe8-1063-492d-a0f9-2f824408d0df"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Popup Maker \u003c 1.16.9 - Contributor+ Stored XSS via Subscription Form",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4381",
"datePublished": "2023-01-02T21:49:25.883Z",
"dateReserved": "2022-12-09T10:20:30.503Z",
"dateUpdated": "2025-04-10T15:01:25.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47358 (GCVE-0-2024-47358)
Vulnerability from cvelistv5
Published
2024-11-01 14:17
Modified
2024-11-01 20:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Popup Maker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Popup Maker: from n/a through 1.19.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Popup Maker | Popup Maker |
Version: n/a < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "popup_maker",
"vendor": "code-atlantic",
"versions": [
{
"lessThanOrEqual": "1.19.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T20:18:19.527466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T20:20:29.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-maker",
"product": "Popup Maker",
"vendor": "Popup Maker",
"versions": [
{
"changes": [
{
"at": "1.20.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.19.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Popup Maker allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Popup Maker: from n/a through 1.19.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Popup Maker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Popup Maker: from n/a through 1.19.2."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:17:04.126Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/popup-maker/wordpress-popup-maker-plugin-1-19-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.20.0 or a higher version."
}
],
"value": "Update to 1.20.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup Maker plugin \u003c= 1.19.2 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47358",
"datePublished": "2024-11-01T14:17:04.126Z",
"dateReserved": "2024-09-24T13:01:29.905Z",
"dateUpdated": "2024-11-01T20:20:29.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-2284 (GCVE-0-2017-2284)
Vulnerability from cvelistv5
Published
2017-08-02 16:00
Modified
2024-08-05 13:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting
Summary
Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset/1697216/#file3 | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN92921024/index.html | third-party-advisory, x_refsource_JVN | |
| https://wordpress.org/plugins/popup-maker/#developers | x_refsource_MISC | |
| https://wpvulndb.com/vulnerabilities/8878 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Popup Maker | Popup Maker |
Version: prior to version 1.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:48:05.202Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/1697216/#file3"
},
{
"name": "JVN#92921024",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN92921024/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/popup-maker/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/8878"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Popup Maker",
"vendor": "Popup Maker",
"versions": [
{
"status": "affected",
"version": "prior to version 1.6.5"
}
]
}
],
"datePublic": "2017-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-11T08:06:00",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/changeset/1697216/#file3"
},
{
"name": "JVN#92921024",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "https://jvn.jp/en/jp/JVN92921024/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/popup-maker/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/8878"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2017-2284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Popup Maker",
"version": {
"version_data": [
{
"version_value": "prior to version 1.6.5"
}
]
}
}
]
},
"vendor_name": "Popup Maker"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://plugins.trac.wordpress.org/changeset/1697216/#file3",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/changeset/1697216/#file3"
},
{
"name": "JVN#92921024",
"refsource": "JVN",
"url": "https://jvn.jp/en/jp/JVN92921024/index.html"
},
{
"name": "https://wordpress.org/plugins/popup-maker/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/popup-maker/#developers"
},
{
"name": "https://wpvulndb.com/vulnerabilities/8878",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/8878"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2017-2284",
"datePublished": "2017-08-02T16:00:00",
"dateReserved": "2016-12-01T00:00:00",
"dateUpdated": "2024-08-05T13:48:05.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5561 (GCVE-0-2024-5561)
Vulnerability from cvelistv5
Published
2024-09-09 06:00
Modified
2024-09-10 15:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/6a87cc25-bd7d-40e3-96f9-26646cd6f736/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Popup Maker |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:popup_maker:popup_maker_wp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "popup_maker_wp",
"vendor": "popup_maker",
"versions": [
{
"lessThan": "1.19.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-5561",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:02:06.343603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:03:35.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Maker",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.19.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T06:00:01.342Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/6a87cc25-bd7d-40e3-96f9-26646cd6f736/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Popup Maker \u003c 1.19.1 - Admin+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-5561",
"datePublished": "2024-09-09T06:00:01.342Z",
"dateReserved": "2024-05-31T09:45:00.508Z",
"dateUpdated": "2024-09-10T15:03:35.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45819 (GCVE-0-2022-45819)
Vulnerability from cvelistv5
Published
2024-12-13 14:22
Modified
2024-12-23 18:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Popup Maker | Popup Maker |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45819",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-23T18:03:55.092252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-23T18:04:08.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-maker",
"product": "Popup Maker",
"vendor": "Popup Maker",
"versions": [
{
"changes": [
{
"at": "1.18.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.17.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Istv\u00e1n M\u00e1rton (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Popup Maker: from n/a through 1.17.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T14:22:02.516Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/popup-maker/vulnerability/wordpress-popup-maker-plugin-1-17-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Popup Maker plugin to the latest available version (at least 1.18.0)."
}
],
"value": "Update the WordPress Popup Maker plugin to the latest available version (at least 1.18.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup Maker plugin \u003c= 1.17.1 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-45819",
"datePublished": "2024-12-13T14:22:02.516Z",
"dateReserved": "2022-11-23T07:45:41.513Z",
"dateUpdated": "2024-12-23T18:04:08.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-47597 (GCVE-0-2022-47597)
Vulnerability from cvelistv5
Published
2023-12-20 17:46
Modified
2024-08-03 14:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker – Popup for opt-ins, lead gen, & more.This issue affects Popup Maker – Popup for opt-ins, lead gen, & more: from n/a through 1.17.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Popup Maker | Popup Maker – Popup for opt-ins, lead gen, & more |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:55:08.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/popup-maker/wordpress-popup-maker-plugin-1-17-1-unauth-access-to-debug-log?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "popup-maker",
"product": "Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more",
"vendor": "Popup Maker",
"versions": [
{
"changes": [
{
"at": "1.18.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.17.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "rezaduty (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026amp; more.\u003cp\u003eThis issue affects Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026amp; more: from n/a through 1.17.1.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more.This issue affects Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more: from n/a through 1.17.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T17:46:04.968Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/popup-maker/wordpress-popup-maker-plugin-1-17-1-unauth-access-to-debug-log?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.18.0 or a higher version."
}
],
"value": "Update to\u00a01.18.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup Maker Plugin \u003c= 1.17.1 is vulnerable to Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-47597",
"datePublished": "2023-12-20T17:46:04.968Z",
"dateReserved": "2022-12-20T08:12:15.177Z",
"dateUpdated": "2024-08-03T14:55:08.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17574 (GCVE-0-2019-17574)
Vulnerability from cvelistv5
Published
2019-10-14 13:55
Modified
2024-08-05 01:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").
References
| ▼ | URL | Tags |
|---|---|---|
| http://blog.redyops.com/wordpress-plugin-popup-maker/ | x_refsource_MISC | |
| https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md | x_refsource_MISC | |
| https://wpvulndb.com/vulnerabilities/9907 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:12.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.redyops.com/wordpress-plugin-popup-maker/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9907"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the \"support debug text file\")."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-14T18:06:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.redyops.com/wordpress-plugin-popup-maker/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9907"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17574",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the \"support debug text file\")."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.redyops.com/wordpress-plugin-popup-maker/",
"refsource": "MISC",
"url": "http://blog.redyops.com/wordpress-plugin-popup-maker/"
},
{
"name": "https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md",
"refsource": "MISC",
"url": "https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md"
},
{
"name": "https://wpvulndb.com/vulnerabilities/9907",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9907"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17574",
"datePublished": "2019-10-14T13:55:36",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:47:12.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3690 (GCVE-0-2022-3690)
Vulnerability from cvelistv5
Published
2022-11-21 00:00
Modified
2025-04-29 16:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Popup Maker WordPress plugin before 1.16.11 does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/725f6ae4-7ec5-4d7c-9533-c9b61b59cc2b | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Popup Maker |
Version: 0 < 1.16.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:03.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/725f6ae4-7ec5-4d7c-9533-c9b61b59cc2b"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3690",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T16:19:22.136366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T16:20:14.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Popup Maker",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.16.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "c3p0d4y"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.16.11 does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-08T10:39:00.851Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/725f6ae4-7ec5-4d7c-9533-c9b61b59cc2b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Popup Maker \u003c 1.16.11 - Contributor+ Stored Cross Site Scripting",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3690",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-10-26T00:00:00.000Z",
"dateUpdated": "2025-04-29T16:20:14.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2336 (GCVE-0-2024-2336)
Vulnerability from cvelistv5
Published
2024-04-09 18:58
Modified
2024-08-01 19:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Popup Maker – Popup for opt-ins, lead gen, & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| danieliser | Popup Maker – Popup for opt-ins, lead gen, & more |
Version: * ≤ 1.18.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T13:18:13.505625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T13:20:02.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40e1215c-ac00-4fd6-b428-a57cef95aed1?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3053244%40popup-maker%2Ftrunk\u0026old=2989642%40popup-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more",
"vendor": "danieliser",
"versions": [
{
"lessThanOrEqual": "1.18.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s shortcode(s) in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T18:58:45.238Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40e1215c-ac00-4fd6-b428-a57cef95aed1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3053244%40popup-maker%2Ftrunk\u0026old=2989642%40popup-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-20T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2336",
"datePublished": "2024-04-09T18:58:45.238Z",
"dateReserved": "2024-03-08T18:46:28.207Z",
"dateUpdated": "2024-08-01T19:11:53.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1104 (GCVE-0-2022-1104)
Vulnerability from cvelistv5
Published
2022-05-09 16:50
Modified
2024-08-02 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Popup Maker – Popup for opt-ins, lead gen, & more |
Version: 1.16.5 < 1.16.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:23.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.16.5",
"status": "affected",
"version": "1.16.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Roel van Beurden"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-09T16:50:46",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Popup Maker \u003c 1.16.5 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1104",
"STATE": "PUBLIC",
"TITLE": "Popup Maker \u003c 1.16.5 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.16.5",
"version_value": "1.16.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Roel van Beurden"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1104",
"datePublished": "2022-05-09T16:50:46",
"dateReserved": "2022-03-26T00:00:00",
"dateUpdated": "2024-08-02T23:55:23.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7054 (GCVE-0-2024-7054)
Vulnerability from cvelistv5
Published
2024-08-20 10:58
Modified
2024-08-20 13:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘close_text’ parameter in all versions up to, and including, 1.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| danieliser | Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder |
Version: * ≤ 1.19.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T13:31:37.776895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T13:31:48.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder",
"vendor": "danieliser",
"versions": [
{
"lessThanOrEqual": "1.19.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018close_text\u2019 parameter in all versions up to, and including, 1.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T10:58:30.167Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73524687-7703-4912-aad5-2a31122ba9b2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3137126/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-19T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Maker \u003c= 1.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7054",
"datePublished": "2024-08-20T10:58:30.167Z",
"dateReserved": "2024-07-23T19:37:32.557Z",
"dateUpdated": "2024-08-20T13:31:48.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2025-01-24 18:15
Modified
2025-03-28 19:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Popup Maker Popup Maker allows Stored XSS. This issue affects Popup Maker: from n/a through 1.20.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D41C4702-93D0-400F-A174-FD764E5BD0AB",
"versionEndIncluding": "1.20.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Popup Maker Popup Maker allows Stored XSS. This issue affects Popup Maker: from n/a through 1.20.2."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Popup Maker Popup Maker permite XSS almacenado. Este problema afecta a Popup Maker: desde n/a hasta 1.20.2."
}
],
"id": "CVE-2025-24746",
"lastModified": "2025-03-28T19:15:14.553",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-24T18:15:48.437",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/wordpress/plugin/popup-maker/vulnerability/wordpress-popup-maker-plugin-1-20-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-21 11:15
Modified
2025-04-29 17:15
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Summary
The Popup Maker WordPress plugin before 1.16.11 does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/725f6ae4-7ec5-4d7c-9533-c9b61b59cc2b | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/725f6ae4-7ec5-4d7c-9533-c9b61b59cc2b | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB5411EA-D328-430F-A080-3FEE4195126C",
"versionEndExcluding": "1.16.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.16.11 does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins"
},
{
"lang": "es",
"value": "El complemento Popup Maker de WordPress anterior a la versi\u00f3n 1.16.11 no sanitiza ni escapa a algunas de sus opciones de ventanas emergentes, lo que podr\u00eda permitir a los usuarios con un rol tan bajo como Colaborador realizar ataques de cross site scripting almacenados, que podr\u00edan usarse contra administradores."
}
],
"id": "CVE-2022-3690",
"lastModified": "2025-04-29T17:15:36.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-21T11:15:20.687",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/725f6ae4-7ec5-4d7c-9533-c9b61b59cc2b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/725f6ae4-7ec5-4d7c-9533-c9b61b59cc2b"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2024-12-12 07:15
Modified
2025-04-11 14:59
Severity ?
Summary
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_title’ parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "20DB177A-2586-4E06-8486-A136EC89521F",
"versionEndExcluding": "1.20.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018post_title\u2019 parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
},
{
"lang": "es",
"value": " El complemento Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del par\u00e1metro \u0027post_title\u0027 en todas las versiones hasta la 1.20.2 incluida , debido a una desinfecci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."
}
],
"id": "CVE-2024-10583",
"lastModified": "2025-04-11T14:59:12.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-12-12T07:15:05.570",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3197898%40popup-maker\u0026new=3197898%40popup-maker\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b4dc917-0d59-4163-a613-49afc1dc4d33?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-02 16:29
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN92921024/index.html | Third Party Advisory, VDB Entry | |
| vultures@jpcert.or.jp | https://plugins.trac.wordpress.org/changeset/1697216/#file3 | Patch, Third Party Advisory | |
| vultures@jpcert.or.jp | https://wordpress.org/plugins/popup-maker/#developers | Product, Third Party Advisory | |
| vultures@jpcert.or.jp | https://wpvulndb.com/vulnerabilities/8878 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN92921024/index.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://plugins.trac.wordpress.org/changeset/1697216/#file3 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wordpress.org/plugins/popup-maker/#developers | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpvulndb.com/vulnerabilities/8878 |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.0.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "90C161EC-2573-42D2-87D9-34B3D6B8DC9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.0.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D9B91723-3887-4F17-9C22-F75D9190EE56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.0.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F1AC248E-BF46-422F-84F9-EDC409CA22F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.0.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "6C0338C3-969D-49CC-8883-A6FC1F85EA96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.0.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "54C7BF56-F9C6-4858-9084-20BC7695BD6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.0.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "36323BBF-DF81-47D3-B126-6673A3BF8F35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4B6B06C5-EBE8-4BD5-AB71-1212847F2D42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2B9A7EA4-3EAC-40C3-945B-96B26462B163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9D48C71B-3971-4AD2-897F-ED9BCF478451",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D789C13D-7C6D-4F5B-A212-B836E08E213A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CFE80F18-726C-4BDE-838C-B44479DF6165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "440D38B5-4C30-4960-8DF7-1234AB843972",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.6:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4EB472CF-32C4-4BB0-AF92-8B015A40BE59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "59839A5E-3462-4084-AC68-E9BB758D29AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.8:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "37360399-BB08-4CCD-BF97-9C244B8538AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.9:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "34C82A10-464A-4CDC-8947-7B1494F0EB2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.1.10:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "70B17631-F056-4E9B-BFF8-73BCE1116815",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.2.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "76350181-42BA-49C3-A25D-9B9FCB4E526B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.2.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8E3085B2-66B0-4006-AA8E-9EF4CAB97FDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.2.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "102F9DD7-E0B5-4918-895E-DEFCAAC8FC52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "39D04E83-EF5C-4981-BB0E-6F929AF1C25C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C759FBB3-A063-4CCC-B3A5-F6DC8D6B8A6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "283F2952-A467-4E2C-9E01-7E48234A3B2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AB0D76F5-C2EB-4C6D-A187-DF3363EC19A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "70B45C8A-79DA-4AEE-BCC1-C06C77FEE40C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8FCC14C3-C650-44AF-8292-5497B508556A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.6:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "007D28DF-7E53-486F-B9AB-1BCD54020AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5B735B73-E003-4848-A7F3-EBA9D19039EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.8:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8868752E-BB92-43F4-8D1C-769D512DA13E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.3.9:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "334E63C2-E717-4C11-958D-B48EE3440B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "82588758-797D-489D-A19F-0E0D7CC807E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8588997E-AA8B-440F-9F1B-713FFB097234",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FA9E5F61-97EB-470B-BA39-50ED30FDA492",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3C2511EE-E091-41C4-BF06-DFBC27B3E3B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "BFB9A292-0E2D-4378-9039-ED45DABE726C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CEDE2DC6-0A58-47C2-944F-8010524B2821",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.6:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5827184B-ACEC-452A-8190-64A32F76E902",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "6E5B070F-A8E3-4320-832E-1FE9577E7B1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.8:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8142F60E-FDBF-4DE1-89C9-5925290E9E92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.9:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FEE8319A-33A8-486C-92A5-4941681B8B3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.10:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "10A5384C-C79D-429A-9094-538BE9C70C9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.11:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "39F86BCA-C2F6-4664-B36E-43FF3F9D13C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.12:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0C583011-48FD-4EC3-9C58-28EF3E5C9D1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.13:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DD0B7B26-72EA-4712-B783-3989FDB05194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.14:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "6A1CC3A8-EBAA-4FA2-B0B9-4B05C9742CEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.15:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FE801999-733C-4C82-9114-B2228AADE290",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.16:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "7A33CEB9-8CE3-4F1A-A1C8-2176F65DA787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.17:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AF294B42-DF3C-4ACB-B439-CE41581FB685",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.18:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D18DDBCA-4F33-4CD0-BE52-1B6F87D273E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.19:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "65B14941-933B-4ECF-95CA-16F208EB2FCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.20:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "38951BCB-E275-4952-850A-F007CB06B5ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.4.21:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "862E52EA-4F2E-42F5-8099-DAC7F3025923",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5AD0FA3F-03CC-470D-A0A5-857CA7A46D73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0CC71336-9C78-4228-9393-F9139ED44979",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FF5128CC-6B8B-4CC6-9D08-2188D93ABD83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "30B1DDBC-10D1-4718-B07E-946D72F1B581",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9E0DC38E-A42A-4008-9E67-0487F0849CED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9B9657B9-C347-4DF9-A306-C281396FB81D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.6:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E0E732F1-84C1-44A6-B1B3-BCA25B8272C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "A78EFBC6-C767-466E-8A7A-68A7606227C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.5.8:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C218BC8D-9798-4EEC-8B64-EE96888FA338",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.6.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4177F386-AFB2-421B-8444-89D16B6C78C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.6.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CF7C5849-3102-4D27-BBB8-A6E31230150F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.6.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "30BCFF57-5F8E-478B-A484-9C771BA33E83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.6.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D00FE9DD-4EF5-4CAF-88B1-0C260610063A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:1.6.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FAB6541B-F121-4668-A2CA-EE6120014633",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en versiones anteriores a la 1.6.5 de Popup Maker permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados."
}
],
"id": "CVE-2017-2284",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-02T16:29:00.520",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/en/jp/JVN92921024/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/1697216/#file3"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/popup-maker/#developers"
},
{
"source": "vultures@jpcert.or.jp",
"url": "https://wpvulndb.com/vulnerabilities/8878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://jvn.jp/en/jp/JVN92921024/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/changeset/1697216/#file3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/popup-maker/#developers"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://wpvulndb.com/vulnerabilities/8878"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-13 15:15
Modified
2025-04-11 14:58
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Summary
Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DE6EB12B-015D-4B7E-8564-4DE67A481A50",
"versionEndExcluding": "1.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en Popup Maker Popup Maker permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Popup Maker: desde n/a hasta 1.17.1."
}
],
"id": "CVE-2022-45819",
"lastModified": "2025-04-11T14:58:45.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-13T15:15:08.120",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/wordpress/plugin/popup-maker/vulnerability/wordpress-popup-maker-plugin-1-17-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-02 22:15
Modified
2025-04-10 15:16
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/8bf8ebe8-1063-492d-a0f9-2f824408d0df | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/8bf8ebe8-1063-492d-a0f9-2f824408d0df | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B4A5451A-B2C6-48FB-8364-1F6B97410E53",
"versionEndExcluding": "1.16.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks"
},
{
"lang": "es",
"value": "El complemento Popup Maker de WordPress anterior a 1.16.9 no valida ni escapa uno de sus atributos de c\u00f3digo corto, lo que podr\u00eda permitir a los usuarios con un rol tan bajo como colaborador realizar cross-site scripting almacenado."
}
],
"id": "CVE-2022-4381",
"lastModified": "2025-04-10T15:16:01.457",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-01-02T22:15:18.050",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/8bf8ebe8-1063-492d-a0f9-2f824408d0df"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/8bf8ebe8-1063-492d-a0f9-2f824408d0df"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2024-08-20 11:15
Modified
2025-03-31 18:27
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘close_text’ parameter in all versions up to, and including, 1.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D6E8FCA7-F8E5-43D8-A38A-A088C8D02BB1",
"versionEndExcluding": "1.19.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018close_text\u2019 parameter in all versions up to, and including, 1.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
},
{
"lang": "es",
"value": "El complemento Popup Maker \u2013 Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro \u2018close_text\u2019 en todas las versiones hasta la 1.19.0 incluida, debido a una desinfecci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."
}
],
"id": "CVE-2024-7054",
"lastModified": "2025-03-31T18:27:47.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-20T11:15:03.540",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3137126/"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73524687-7703-4912-aad5-2a31122ba9b2?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-09 06:15
Modified
2024-10-07 17:45
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/6a87cc25-bd7d-40e3-96f9-26646cd6f736/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D6E8FCA7-F8E5-43D8-A38A-A088C8D02BB1",
"versionEndExcluding": "1.19.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
},
{
"lang": "es",
"value": "El complemento Popup Maker WordPress anterior a la versi\u00f3n 1.19.1 no desinfecta ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir que usuarios con privilegios elevados, como el administrador, realicen ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."
}
],
"id": "CVE-2024-5561",
"lastModified": "2024-10-07T17:45:29.950",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-09T06:15:01.850",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/6a87cc25-bd7d-40e3-96f9-26646cd6f736/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-09 19:15
Modified
2025-04-11 13:12
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Popup Maker – Popup for opt-ins, lead gen, & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "39CC0E55-D63D-4216-8B86-C172F516C5E0",
"versionEndExcluding": "1.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s shortcode(s) in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
},
{
"lang": "es",
"value": "El complemento Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026amp; more para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los c\u00f3digos cortos del complemento en todas las versiones hasta la 1.18.2 incluida debido a una sanitizaci\u00f3n de entrada insuficiente. y la salida se escapa en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."
}
],
"id": "CVE-2024-2336",
"lastModified": "2025-04-11T13:12:50.600",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-09T19:15:32.353",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3053244%40popup-maker%2Ftrunk\u0026old=2989642%40popup-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40e1215c-ac00-4fd6-b428-a57cef95aed1?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3053244%40popup-maker%2Ftrunk\u0026old=2989642%40popup-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40e1215c-ac00-4fd6-b428-a57cef95aed1?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-14 14:15
Modified
2024-11-21 04:32
Severity ?
Summary
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://blog.redyops.com/wordpress-plugin-popup-maker/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md | Release Notes | |
| cve@mitre.org | https://wpvulndb.com/vulnerabilities/9907 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.redyops.com/wordpress-plugin-popup-maker/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpvulndb.com/vulnerabilities/9907 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F339855E-FB38-4912-AF33-FD5CF3B75D6F",
"versionEndExcluding": "1.8.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the \"support debug text file\")."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en el plugin Popup Maker en versiones anteriores a la 1.8.13 para WordPress. Un atacante no autenticado puede controlar parcialmente los argumentos de la funci\u00f3n do_action para invocar ciertos m\u00e9todos popmake_ o pum_, como lo demuestra el control del contenido y la entrega de popmake-system-info.txt (tambi\u00e9n conocido como \"support debug text file\")."
}
],
"id": "CVE-2019-17574",
"lastModified": "2024-11-21T04:32:34.133",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-14T14:15:10.197",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://blog.redyops.com/wordpress-plugin-popup-maker/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9907"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://blog.redyops.com/wordpress-plugin-popup-maker/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://wpvulndb.com/vulnerabilities/9907"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-01 15:15
Modified
2024-11-12 20:28
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authorization vulnerability in Popup Maker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Popup Maker: from n/a through 1.19.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "1AF385E1-1958-43F8-80F0-874EE6940504",
"versionEndExcluding": "1.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in Popup Maker allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Popup Maker: from n/a through 1.19.2."
},
{
"lang": "es",
"value": " La vulnerabilidad de autorizaci\u00f3n faltante en Popup Maker permite acceder a funcionalidades que no est\u00e1n correctamente restringidas por las ACL. Este problema afecta a Popup Maker: desde n/a hasta 1.19.2."
}
],
"id": "CVE-2024-47358",
"lastModified": "2024-11-12T20:28:55.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-01T15:15:55.043",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/popup-maker/wordpress-popup-maker-plugin-1-19-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-02 22:15
Modified
2025-04-10 15:16
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/2660225a-e4c8-40f2-8c98-775ef2301212 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/2660225a-e4c8-40f2-8c98-775ef2301212 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B4A5451A-B2C6-48FB-8364-1F6B97410E53",
"versionEndExcluding": "1.16.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks"
},
{
"lang": "es",
"value": "El complemento Popup Maker de WordPress anterior a 1.16.9 no valida ni escapa uno de sus atributos de c\u00f3digo corto, lo que podr\u00eda permitir a los usuarios con un rol tan bajo como colaborador realizar cross-site scripting almacenado."
}
],
"id": "CVE-2022-4362",
"lastModified": "2025-04-10T15:16:01.047",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-01-02T22:15:17.677",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/2660225a-e4c8-40f2-8c98-775ef2301212"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/2660225a-e4c8-40f2-8c98-775ef2301212"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2022-05-09 17:15
Modified
2024-11-21 06:40
Severity ?
Summary
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5E414502-0EB8-443B-AC2D-1F268EE4E7CD",
"versionEndExcluding": "1.16.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed"
},
{
"lang": "es",
"value": "el plugin Popup Maker de WordPress versiones hasta 1.16.5, no sanea ni escapa de algunos de sus par\u00e1metros de Popup, lo que podr\u00eda permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html est\u00e1 deshabilitada"
}
],
"id": "CVE-2022-1104",
"lastModified": "2024-11-21T06:40:02.617",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-09T17:15:08.797",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-20 18:15
Modified
2024-11-21 07:32
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker – Popup for opt-ins, lead gen, & more.This issue affects Popup Maker – Popup for opt-ins, lead gen, & more: from n/a through 1.17.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| code-atlantic | popup_maker | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DE6EB12B-015D-4B7E-8564-4DE67A481A50",
"versionEndExcluding": "1.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more.This issue affects Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026 more: from n/a through 1.17.1.\n\n"
},
{
"lang": "es",
"value": "Exposici\u00f3n de informaci\u00f3n confidencial a una vulnerabilidad de un actor no autorizado en Popup Maker Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026amp; more. Este problema afecta a Popup Maker \u2013 Popup for opt-ins, lead gen, \u0026amp; more: desde n/a hasta 1.17.1."
}
],
"id": "CVE-2022-47597",
"lastModified": "2024-11-21T07:32:14.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-20T18:15:11.143",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/popup-maker/wordpress-popup-maker-plugin-1-17-1-unauth-access-to-debug-log?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/popup-maker/wordpress-popup-maker-plugin-1-17-1-unauth-access-to-debug-log?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}