Popup by Supsystic <= 1.7.8 – Cross-Site Request Forgery (CSRF) | CVE 2016-10915

Affects Plugins

popup-by-supsystic

Fixed in 1.7.9

References

CVE

CVE-2016-10915

URL

https://sumofpwn.nl/advisory/2016/popup_by_supsystic_wordpress_plugin_vulnerable_to_cross_site_request_forgery.html

URL

https://seclists.org/fulldisclosure/2017/Feb/97

Classification

Type

SSRF

OWASP top 10

A1: Injection

CWE

CWE-918

CVSS

8.8 (high)

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

84629e06-4900-4805-b54f-4ee75c549357

Timeline

Publicly Published

2017-03-01 (about 9 years ago)

Added

2017-03-02 (about 9 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2026-03-27

Title

Oxygen < 6.0.9 - Unauthenticated Server-Side Request Forgery via route_path

Published

2025-02-26

Title

OneStore Sites <= 0.1.1 - Unauthenticated Blind Server-Side Request Forgery

Published

2025-11-23

Title

External Media <= 1.0.36 - Authenticated (Contributor+) Server-Side Request Forgery

Published

2022-10-26

Title

Web Stories < 1.25.0 - Subscriber+ Server Side Request Forgery

Published

2021-04-13

Title

WP-DownloadManager < 1.68.5 - Server-Side Request Forgery (SSRF)