Unauthorized Data Modification Vulnerability in The Popup Box Plugin
CVE-2024-10861
5.3MEDIUM
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 16 November 2024
What is CVE-2024-10861?
The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress has a design flaw that results in unauthorized modification of critical plugin settings. The vulnerability arises from a lack of proper capability checks in the deactivate_plugin_option() function. As a result, attackers who do not possess authentication can exploit this flaw to manipulate the 'ays_pb_upgrade_plugin' option, potentially leading to arbitrary changes in the plugin's configuration and behavior across all versions up to and including 4.9.7.
Affected Version(s)
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups * <= 4.9.7