Lucene search

K

Popup-builder Security Vulnerabilities

cve
cve

CVE-2024-2544

The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions,...

7.4CVSS

7AI Score

0.0004EPSS

2024-06-15 02:15 AM
2
cve
cve

CVE-2023-6696

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check,....

8.1CVSS

8AI Score

0.001EPSS

2024-06-15 02:15 AM
3
cve
cve

CVE-2024-35655

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Brave Brave Popup Builder allows Stored XSS.This issue affects Brave Popup Builder: from n/a through...

5.9CVSS

5.3AI Score

0.0004EPSS

2024-06-04 02:15 PM
21
cve
cve

CVE-2024-2506

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied.....

6.4CVSS

6AI Score

0.0004EPSS

2024-06-01 07:15 AM
29
cve
cve

CVE-2024-4045

The Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘campaign_id’ parameter in versions up to, and including, 2.16.1 due to insufficient input sanitization and output...

6.4CVSS

5.7AI Score

0.001EPSS

2024-05-25 06:15 AM
28
cve
cve

CVE-2024-34567

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in GhozyLab, Inc. Popup Builder allows Stored XSS.This issue affects Popup Builder: from n/a through...

5.9CVSS

6.6AI Score

0.0004EPSS

2024-05-17 06:15 AM
23
cve
cve

CVE-2024-1945

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This makes it possible for.....

7.1CVSS

6.3AI Score

0.0004EPSS

2024-05-02 05:15 PM
26
cve
cve

CVE-2024-2008

The Modal Popup Box – Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of untrusted input in the awl_modal_popup_box_shortcode function. This makes it possible for authenticated...

8.8CVSS

9.3AI Score

0.0004EPSS

2024-04-04 03:15 AM
35
cve
cve

CVE-2024-30453

Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through...

5.4CVSS

9.4AI Score

0.0004EPSS

2024-03-29 05:15 PM
29
cve
cve

CVE-2024-30184

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Looking Forward Software Incorporated. Popup Builder allows Stored XSS.This issue affects Popup Builder: from n/a through...

6.5CVSS

9.1AI Score

0.0004EPSS

2024-03-27 12:15 PM
25
cve
cve

CVE-2023-6294

The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress...

6.6AI Score

0.0004EPSS

2024-02-12 04:15 PM
47
cve
cve

CVE-2023-51532

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building allows Stored XSS.This issue affects Icegram Engage – WordPress Lead Generation, Popup...

6.5CVSS

5.5AI Score

0.0004EPSS

2024-02-01 11:15 AM
62
cve
cve

CVE-2023-6828

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ arf_http_referrer_url’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output escaping....

7.2CVSS

5.9AI Score

0.001EPSS

2024-01-11 09:15 AM
51
cve
cve

CVE-2023-52119

Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through...

8.8CVSS

8.6AI Score

0.001EPSS

2024-01-05 10:15 AM
52
cve
cve

CVE-2023-6000

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS...

6.1CVSS

6.2AI Score

0.0005EPSS

2024-01-01 03:15 PM
118
cve
cve

CVE-2023-32517

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in PluginOps MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder.This issue affects MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder: from n/a through...

6.1CVSS

6.2AI Score

0.0005EPSS

2023-12-29 10:15 AM
14
cve
cve

CVE-2023-4961

The Poptin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'poptin-form' shortcode in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

6.4CVSS

5.2AI Score

0.001EPSS

2023-10-20 08:15 AM
81
cve
cve

CVE-2023-3226

The Popup Builder WordPress plugin before 4.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

4.8CVSS

4.8AI Score

0.0004EPSS

2023-09-25 04:15 PM
26
cve
cve

CVE-2023-2362

The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before 1.5.1, Counter Box WordPress plugin before 1.2.2, Floating Button WordPress plugin before 5.3.1, Herd Effects...

6.1CVSS

6.1AI Score

0.001EPSS

2023-06-12 06:15 PM
34
cve
cve

CVE-2023-24003

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Timersys WP Popups – WordPress Popup plugin <= 2.1.4.8...

6.5CVSS

5.1AI Score

0.001EPSS

2023-04-06 09:15 AM
19
cve
cve

CVE-2023-0772

The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected....

6.5CVSS

6.7AI Score

0.001EPSS

2023-03-13 05:15 PM
30
cve
cve

CVE-2022-2405

The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary...

4.3CVSS

4.6AI Score

0.001EPSS

2022-09-26 01:15 PM
36
3
cve
cve

CVE-2022-2404

The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site...

6.1CVSS

6AI Score

0.001EPSS

2022-09-26 01:15 PM
40
3
cve
cve

CVE-2022-29495

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacker to update plugin...

5.4CVSS

4.5AI Score

0.001EPSS

2022-07-22 05:15 PM
51
8
cve
cve

CVE-2022-32289

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.0 at WordPress leading to popup status...

5.4CVSS

4.6AI Score

0.001EPSS

2022-07-21 04:15 PM
38
6
cve
cve

CVE-2022-1894

The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is...

4.8CVSS

4.7AI Score

0.001EPSS

2022-07-11 01:15 PM
43
7
cve
cve

CVE-2022-28612

Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb's Custom Popup Builder plugin <= 1.3.1 at...

5.4CVSS

5.4AI Score

0.001EPSS

2022-06-15 08:15 PM
45
6
cve
cve

CVE-2022-0479

The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack...

9.8CVSS

9.1AI Score

0.002EPSS

2022-03-28 06:15 PM
50
cve
cve

CVE-2022-0228

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL...

7.2CVSS

7.3AI Score

0.026EPSS

2022-02-21 11:15 AM
144
cve
cve

CVE-2021-25082

The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via...

8.8CVSS

8.5AI Score

0.001EPSS

2022-02-21 11:15 AM
72
cve
cve

CVE-2021-24867

Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to....

9.8CVSS

9.4AI Score

0.004EPSS

2022-02-21 11:15 AM
132
2
cve
cve

CVE-2022-0214

The Custom Popup Builder WordPress plugin before 1.3.1 autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the...

7.5CVSS

7.4AI Score

0.001EPSS

2022-02-14 12:15 PM
69
cve
cve

CVE-2021-24718

The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is...

4.8CVSS

4.8AI Score

0.001EPSS

2021-12-06 04:15 PM
14
cve
cve

CVE-2021-24152

The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site...

6.1CVSS

6.2AI Score

0.001EPSS

2021-04-05 07:15 PM
19
cve
cve

CVE-2020-10195

The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to in-scope privilege escalation via admin-post actions to com/classes/Actions.php. By sending a POST request to wp-admin/admin-post.php, an authenticated attacker with minimal...

6.3CVSS

6.5AI Score

0.001EPSS

2020-03-13 04:15 PM
61
cve
cve

CVE-2020-10196

An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of....

6.1CVSS

6.4AI Score

0.001EPSS

2020-03-13 04:15 PM
65
cve
cve

CVE-2020-9006

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator...

9.8CVSS

10AI Score

0.012EPSS

2020-02-17 03:15 PM
74
cve
cve

CVE-2019-14695

A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via com/libs/Table.php because Subscribers Table ordering is...

9.8CVSS

9.8AI Score

0.003EPSS

2019-08-06 02:15 PM
50