Description

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more is prone to multiple vulnerabilities, including security bypass and information disclosure vulnerabilities. Exploiting these issues could allow an attacker to perform otherwise restricted actions and subsequently enable/disable popups, or to obtain sensitive information which could aid in launching further attacks. WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more version 1.17.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.18.0 or latest

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/popup-maker/popup-maker-1171-missing-authorization-via-save-popup-enabled-state

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/popup-maker/popup-maker-1171-sensitive-data-exposure-via-debug-log-file

https://plugins.svn.wordpress.org/popup-maker/trunk/readme.txt

Related Vulnerabilities

MySQL CVE-2015-4757 Vulnerability (CVE-2015-4757)

Oracle JRE CVE-2022-21293 Vulnerability (CVE-2022-21293)

WordPress Plugin Easy Digital Downloads-Simple eCommerce for Selling Digital Files Cross-Site Request Forgery (2.10.2)

WordPress Plugin Webmention Cross-Site Scripting (4.0.8)

Dolibarr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2017-17897)

Severity

High

Classification

CVE-2022-47597 CWE-200 CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update