An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the “support debug text file”).
CPE | Name | Operator | Version |
---|---|---|---|
popup-maker | eq | 1.4.19 | |
popup-maker | eq | 1.5.0 | |
popup-maker | eq | 1.7.26 | |
popup-maker | eq | 1.3.5 | |
popup-maker | eq | 1.4.20 | |
popup-maker | eq | 1.5.3 | |
popup-maker | eq | 1.8.7 | |
popup-maker | eq | 1.7.29 | |
popup-maker | eq | 1.5.7 | |
popup-maker | eq | 1.4.16 |