Popup Builder < 4.3.7 – Sensitive Information Exposure via Imported Subscribers CSV File | CVE 2024-2541 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Sensitive Information Exposure via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers.

Affects Plugins

Fixed in 4.3.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/086cd6a0-adb6-4e12-b34c-630297f036f3

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

c9e9fb80-c73d-4b42-baa8-a1695ad7bdff

Timeline

Publicly Published

2024-08-28 (about 1 year ago)

Added

2024-08-29 (about 1 year ago)

Last Updated

2025-04-11 (about 1 year ago)

Other

Published

Title

Published

2026-03-23

Title

DirectoryPress < 3.6.27 - Unauthenticated Information Exposure

Published

2023-12-28

Title

Send Users Email < 1.4.4 - Sensitive Information Exposure via Error Logs

Published

2025-11-12

Title

Comment Edit Core – Simple Comment Editing < 3.2.0 - Unauthenticated Sensitive Information Exposure

Published

2024-08-07

Title

Booking for Appointments and Events Calendar – Amelia < 1.2.1 - Unauthenticated Full Path Disclosure

Published

2024-04-16

Title

HT Mega < 2.4.7 - Unauthenticated Order Data Disclosure