“One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. The other vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of all newsletter subscribers, export system configuration information, and grant themselves access to various features of the plugin.” - Unauthenticated Stored Cross-Site Scripting (XSS) - Authenticated Settings Modification, Configuration Disclosure, and User Data Export
CPE | Name | Operator | Version |
---|---|---|---|
popup-builder | lt | 3.64.1 |