Popup Box – Create Countdown, Coupon, Video, Contact Form Popups < 4.9.8 – Missing Authorization to Unauthenticated Limited Options Update | CVE 2024-10861 | Plugin Vulnerabilities

Description

The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.

Affects Plugins

Fixed in 4.9.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c3717e03-9a18-48a1-97d3-1d41c7f93261

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

0cca8207-04ab-4857-8b3a-b21757dffe0e

Timeline

Publicly Published

2024-11-15 (about 1 year ago)

Added

2024-11-15 (about 1 year ago)

Last Updated

2024-11-16 (about 1 year ago)

Other

Published

Title

Published

2024-08-14

Title

Sensei LMS < 4.24.2 - Unauthenticated Email Template Leak

Published

2025-01-06

Title

WP Menu Image < 2.3 - Unauthenticated Menu Image Deletion

Published

2026-03-09

Title

Booktics < 1.0.17 - Unauthenticated Addons Installation

Published

2026-03-06

Title

Greenshift < 12.8.4 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load'

Published

2025-09-22

Title

Sticky Header Effects for Elementor < 2.1.3 - Missing Authorization