CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10996 – Popup Builder by OptinMonster <= 1.1.4.5 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2016-10996
The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak. El plugin optinmonster versiones anteriores a 1.1.4.6 para WordPress, presenta un control de acceso incorrecto para los códigos cortos debido a una perdida de nonce. The OptinMonster plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 1.1.4.5 via the shortcode() function. This allows unauthenticated attackers to execute code on the server. • http://www.pritect.net/blog/optinmonster-1-1-4-6-security-vulnerability https://wordpress.org/plugins/optinmonster/#developers • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-863: Incorrect Authorization •