CVSS: 9.1EPSS: 6%CPEs: 1EXPL: 1CVE-2019-17574 – Popup-Maker <= 1.8.12 - Unauthenticated information disclosure
https://notcve.org/view.php?id=CVE-2019-17574
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file"). Se detectó un problema en el plugin Popup Maker en versiones anteriores a la 1.8.13 para WordPress. Un atacante no autenticado puede controlar parcialmente los argumentos de la función do_action para invocar ciertos métodos popmake_ o pum_, como lo demuestra el control del contenido y la entrega de popmake-system-info.txt (también conocido como "support debug text file"). • http://blog.redyops.com/wordpress-plugin-popup-maker https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md https://wpvulndb.com/vulnerabilities/9907 • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.1EPSS: 0%CPEs: 66EXPL: 0CVE-2017-2284 – Popup Maker < 1.6.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-2284
Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en versiones anteriores a la 1.6.5 de Popup Maker permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • https://jvn.jp/en/jp/JVN92921024/index.html https://plugins.trac.wordpress.org/changeset/1697216/#file3 https://wordpress.org/plugins/popup-maker/#developers https://wpvulndb.com/vulnerabilities/8878 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •