WordPress Plugin Vulnerabilities

Popup Builder < 3.64.1 - Multiple Issues

Description

"One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. The other vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of all newsletter subscribers, export system configuration information, and grant themselves access to various features of the plugin."

- Unauthenticated Stored Cross-Site Scripting (XSS)
- Authenticated Settings Modification, Configuration Disclosure, and User Data Export

Affects Plugins

Plugin icon
popup-builder
Fixed in 3.64.1

References

CVE
CVE-2020-10196
CVE
CVE-2020-10195
URL
https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-over-100000-sites/

Miscellaneous

Original Researcher
Wordfence
Verified
No
WPVDB ID
d2df1d73-ed0f-4911-b827-998384f937b4

Timeline

Publicly Published
2020-03-12 (about 5 years ago)
Added
2020-03-12 (about 5 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2018-03-14
Title
WooCommerce Products Filter < 1.2.0 - Multiple Issues
Published
2014-08-01
Title
s&box - Arbitrary File Upload/FD
Published
2015-02-04
Title
Pixabay Images <= 2.3 - Multiple Vulnerabilities (RCE, XSS, ...)
Published
2015-05-11
Title
WP Fast Cache <= 1.4 - CSRF & Cross-Site Scripting (XSS)
Published
2016-04-17
Title
leenk.me < 2.6.0 - XSS & CSRF