Sensitive Data Exposure Vulnerability in Popup Builder Plugin
CVE-2024-2541

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Popup Builder – Create Highly Converting, Mobile Friendly Marketing Popups.
Vendor: CVE Published:; 29 August 2024

Summary

The Popup Builder plugin for WordPress, used for creating dynamic popups, is affected by a vulnerability that allows unauthenticated attackers to expose sensitive information. This vulnerability is present in all versions up to and including 4.3.3, specifically through the plugin's Subscribers Import feature. When administrators import subscriber data from a CSV file, critical personal information such as first names, last names, email addresses, and potentially other personally identifiable information could be extracted by unauthorized users. As a result, this exposes subscribers to privacy risks and data breaches, making it crucial for site owners to be aware of this vulnerability and take appropriate action.

Affected Version(s)

Popup Builder – Create highly converting, mobile friendly marketing popups. * <= 4.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/popup-builder/...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 29, 2024
Vulnerability Reserved
Mar 15, 2024

Credit

Tim Coen