CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31421 – WordPress Popup by Supsystic plugin <= 1.10.27 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-31421
Missing Authorization vulnerability in Supsystic Popup by Supsystic.This issue affects Popup by Supsystic: from n/a through 1.10.27. Vulnerabilidad de autorización faltante en Supsystic Popup de Supsystic. Este problema afecta a Popup de Supsystic: desde n/a hasta 1.10.27. The Popup by Supsystic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.27. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/popup-by-supsystic/wordpress-popup-by-supsystic-plugin-1-10-27-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46197 – WordPress Popup by Supsystic plugin <= 1.10.19 - Unauthenticated Subscriber Email Addresses Disclosure
https://notcve.org/view.php?id=CVE-2023-46197
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in supsystic.Com Popup by Supsystic allows Relative Path Traversal.This issue affects Popup by Supsystic: from n/a through 1.10.19. Limitación incorrecta de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en supsystic.Com Popup de Supsystic permite un path traversal relativa. Este problema afecta a Popup de Supsystic: desde n/a hasta 1.10.19. The Popup by Supsystic plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.10.19 via the getWpCsvList action. This makes it possible for authenticated attackers with subscriber level access or higher to extract sensitive data including subscriber email addresses. • https://github.com/RandomRobbieBF/CVE-2023-46197 https://patchstack.com/database/vulnerability/popup-by-supsystic/wordpress-popup-by-supsystic-plugin-1-10-19-unauthenticated-subscriber-email-addresses-disclosure?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39997 – Popup by Supsystic <= 1.10.19 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-39997
The Popup by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.19. This is due to missing or incorrect nonce validation for a subset of actions on the 'havePermissions' function. This makes it possible for unauthenticated attackers to perform actions such as sending test emails or saving plugin options via a forged request granted they can trick an authorized user into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •