WordPress Plugin Vulnerabilities

Popup by Supsystic < 1.10.28 - Missing Authorization

Description

The Popup by Supsystic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.27. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
popup-by-supsystic
Fixed in 1.10.28

References

CVE
CVE-2024-31421
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/73b99342-65ca-4f63-b1ea-638255821265

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Steven Julian
Verified
No
WPVDB ID
472ca5cb-d3ef-47e9-91a3-620482d841b0

Timeline

Publicly Published
2024-04-10 (about 2 years ago)
Added
2024-04-16 (about 2 years ago)
Last Updated
2024-04-16 (about 2 years ago)

Other

Published
Title
Published
2025-11-26
Title
Featured Post Creative < 1.5.6 - Missing Authorization
Published
2024-04-04
Title
Happy Addons for Elementor < 3.10.5 - Incorrect Authorization to Information Exposure
Published
2024-04-23
Title
Send PDF for Contact Form 7 < 1.0.2.4 - Missing Authorization
Published
2026-01-16
Title
Tickera < 3.5.6.3 - Missing Authorization
Published
2024-04-22
Title
ARForms < 6.4.1 - Missing Authorization to Arbitrary File Deletion