WordPress Plugin Vulnerabilities

Popup Anything < 2.8.1 - Missing Authorization

Description

The Popup Anything – Popup for opt-ins and Lead Generation Conversions plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the popupaoc_render_popup_preview() function in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to view popup previews.

Affects Plugins

Plugin icon
popup-anything-on-click
Fixed in 2.8.1

References

CVE
CVE-2024-32601
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/012b5334-afdc-47bd-8eaf-967b40fef59b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Steven Julian
Verified
No
WPVDB ID
1f535ae2-c424-4638-aab4-5c671b95553e

Timeline

Publicly Published
2024-04-16 (about 25 days ago)
Added
2024-04-23 (about 17 days ago)
Last Updated
2024-04-23 (about 17 days ago)

Other

Published
Title
Published
2023-11-23
Title
Slider - Ultimate Responsive Image Slider < 3.5.12 - Subscriber+ Arbitrary Post Access
Published
2023-11-09
Title
Japanized For WooCommerce < 2.6.5 - Missing Authorization
Published
2024-04-29
Title
ACF On-The-Go <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update
Published
2024-03-13
Title
Cryptocurrency Widgets – Price Ticker & Coins List < 2.6.9 - Missing Authorization
Published
2023-10-26
Title
Deeper Comments <= 2.1.1 - Subscriber+ Arbitrary Options Update