CVSS: 7.5EPSS: 78%CPEs: 1EXPL: 1CVE-2024-9061 – WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add
https://notcve.org/view.php?id=CVE-2024-9061
15 Oct 2024 — The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.... • https://github.com/RandomRobbieBF/CVE-2024-9061 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2404 – WP Popup Builder < 1.2.9 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2404
05 Sep 2022 — The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting El plugin WP Popup Builder de WordPress antes de la versión 1.2.9 no sanea y escapa de un parámetro antes de devolverlo a la página, lo que lleva a un Reflected Cross-Site Scripting The WP Popup Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.2.8 due to insufficient input... • https://wpscan.com/vulnerability/0d889dde-b9d5-46cf-87d3-4f8a85cf9b98 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2405 – WP Popup Builder < 1.3.0 - Subscriber+ Arbitrary Popup Deletion
https://notcve.org/view.php?id=CVE-2022-2405
05 Sep 2022 — The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup El plugin WP Popup Builder WordPress antes de la versión 1.2.9 no dispone de autorización y comprobación CSRF en una acción AJAX, lo que permite a cualquier usuario autentificado, como los suscriptores, eliminar Popups arbitrarios The WP Popup Builder plugin for WordPress is vulnerable to authentication bypass in vers... • https://wpscan.com/vulnerability/50037028-2790-47ee-aae1-faf0724eb917 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •