WP Popup Builder – Popup Forms and Marketing Lead Generation < 1.3.6 – Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add | CVE 2024-9061 | Plugin Vulnerabilities

Description

The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.

Affects Plugins

wp-popup-builder

Fixed in 1.3.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0cac1dc0-87dc-43eb-9db1-638a91200b43

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

1b4a3779-d225-479a-8e58-be06e175ffab

Timeline

Publicly Published

2024-10-15 (about 1 year ago)

Added

2024-10-15 (about 1 year ago)

Last Updated

2024-10-16 (about 1 year ago)

Other

Published

Title

Published

2026-05-01

Title

Widget Options < 4.2.3 - Contributor+ Remote Code Execution via Display Logic

Published

2026-05-26

Title

WPCode < 2.3.6 - Author+ Remote Code Execution via XML-RPC wp.newPost

Published

2022-04-12

Title

Multiple Plugins from Cool Plugins - Subscriber+ Arbitrary Plugin Installation & Activation

Published

2026-03-20

Title

Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution

Published

2016-04-12

Title

Robo Gallery <= 2.0.14 - Remote Code Execution