CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52434 – WordPress Popup by Supsystic plugin <= 1.10.29 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-52434
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Supsystic Popup by Supsystic allows Command Injection.This issue affects Popup by Supsystic: from n/a through 1.10.29. La vulnerabilidad de neutralización incorrecta de elementos especiales utilizados en un motor de plantillas en Supsystic Popup de Supsystic permite la inyección de comandos. Este problema afecta a Popup de Supsystic: desde n/a hasta 1.10.29. The Popup by Supsystic plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.29. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/popup-by-supsystic/wordpress-popup-by-supsystic-plugin-1-10-29-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31421 – WordPress Popup by Supsystic plugin <= 1.10.27 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-31421
Missing Authorization vulnerability in Supsystic Popup by Supsystic.This issue affects Popup by Supsystic: from n/a through 1.10.27. Vulnerabilidad de autorización faltante en Supsystic Popup de Supsystic. Este problema afecta a Popup de Supsystic: desde n/a hasta 1.10.27. The Popup by Supsystic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.27. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/popup-by-supsystic/wordpress-popup-by-supsystic-plugin-1-10-27-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46197 – WordPress Popup by Supsystic plugin <= 1.10.19 - Unauthenticated Subscriber Email Addresses Disclosure
https://notcve.org/view.php?id=CVE-2023-46197
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in supsystic.Com Popup by Supsystic allows Relative Path Traversal.This issue affects Popup by Supsystic: from n/a through 1.10.19. Limitación incorrecta de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en supsystic.Com Popup de Supsystic permite un path traversal relativa. Este problema afecta a Popup de Supsystic: desde n/a hasta 1.10.19. The Popup by Supsystic plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.10.19 via the getWpCsvList action. This makes it possible for authenticated attackers with subscriber level access or higher to extract sensitive data including subscriber email addresses. • https://github.com/RandomRobbieBF/CVE-2023-46197 https://patchstack.com/database/vulnerability/popup-by-supsystic/wordpress-popup-by-supsystic-plugin-1-10-19-unauthenticated-subscriber-email-addresses-disclosure?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39997 – Popup by Supsystic <= 1.10.19 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-39997
The Popup by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.19. This is due to missing or incorrect nonce validation for a subset of actions on the 'havePermissions' function. This makes it possible for unauthenticated attackers to perform actions such as sending test emails or saving plugin options via a forged request granted they can trick an authorized user into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •