Search criteria
10 vulnerabilities found for Popup Builder – Create highly converting, mobile friendly marketing popups. by popupbuilder
CVE-2025-9856 (GCVE-0-2025-9856)
Vulnerability from nvd – Published: 2025-12-13 08:21 – Updated: 2025-12-15 15:46
VLAI?
Title
Popup Builder – Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.4.1
(semver)
|
Credits
Naoya Takahashi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T15:42:44.825778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T15:46:08.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.4.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Naoya Takahashi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027sg_popup\u0027 shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-13T08:21:15.324Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/helpers/AdminHelper.php#L438"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/classes/popups/SGPopup.php#L1368"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3384281"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-12T19:31:21.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. \u003c= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9856",
"datePublished": "2025-12-13T08:21:15.324Z",
"dateReserved": "2025-09-02T15:30:05.856Z",
"dateUpdated": "2025-12-15T15:46:08.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2541 (GCVE-0-2024-2541)
Vulnerability from nvd – Published: 2024-08-29 12:31 – Updated: 2024-08-29 13:32
VLAI?
Title
Popup Builder <= 4.3.3 - Sensitive Information Exposure via Imported Subscribers CSV File
Summary
The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Information Exposure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.3.3
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:popup_builder:popup_builder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "popup_builder",
"vendor": "popup_builder",
"versions": [
{
"lessThanOrEqual": "4.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:26:39.256355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:32:58.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.3.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T12:31:08.911Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/086cd6a0-adb6-4e12-b34c-630297f036f3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/trunk/com/libs/Importer.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-28T23:41:29.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u003c= 4.3.3 - Sensitive Information Exposure via Imported Subscribers CSV File"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2541",
"datePublished": "2024-08-29T12:31:08.911Z",
"dateReserved": "2024-03-15T18:14:26.691Z",
"dateUpdated": "2024-08-29T13:32:58.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6696 (GCVE-0-2023-6696)
Vulnerability from nvd – Published: 2024-06-15 02:02 – Updated: 2024-08-02 08:35
VLAI?
Title
Popup Builder – Create highly converting, mobile friendly marketing popups <= 4.3.1 - Missing Authorization and Nonce Exposure
Summary
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.3.1
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T13:59:51.368858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T13:59:57.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f86ec30-7a9d-4c36-8559-bde331c8b958?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.2.3/com/classes/Ajax.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3096000/popup-builder/trunk/com/classes/Ajax.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.3.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-15T02:02:00.502Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f86ec30-7a9d-4c36-8559-bde331c8b958?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.2.3/com/classes/Ajax.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3096000/popup-builder/trunk/com/classes/Ajax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-14T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups \u003c= 4.3.1 - Missing Authorization and Nonce Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6696",
"datePublished": "2024-06-15T02:02:00.502Z",
"dateReserved": "2023-12-11T18:28:25.914Z",
"dateUpdated": "2024-08-02T08:35:14.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2544 (GCVE-0-2024-2544)
Vulnerability from nvd – Published: 2024-06-15 02:01 – Updated: 2024-08-01 19:18
VLAI?
Title
Popup Builder <= 4.3.0 - Missing Authorization in Multiple AJAX Actions
Summary
The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks.
Severity ?
7.4 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.3.0
(semver)
|
Credits
Alex Thomas
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2544",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T17:56:15.386528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T17:56:21.625Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:48.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04802c63-4a5d-4948-9ef1-cf89c4cc757e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3096000%40popup-builder%2Ftrunk\u0026old=3085485%40popup-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.3.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-15T02:01:57.798Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04802c63-4a5d-4948-9ef1-cf89c4cc757e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3096000%40popup-builder%2Ftrunk\u0026old=3085485%40popup-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-15T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-14T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u003c= 4.3.0 - Missing Authorization in Multiple AJAX Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2544",
"datePublished": "2024-06-15T02:01:57.798Z",
"dateReserved": "2024-03-15T18:54:05.840Z",
"dateUpdated": "2024-08-01T19:18:48.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2506 (GCVE-0-2024-2506)
Vulnerability from nvd – Published: 2024-06-01 06:51 – Updated: 2024-08-01 19:18
VLAI?
Title
Popup Builder <= 4.2.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS
Summary
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.2.7
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T18:38:49.818677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T18:38:56.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:47.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/804a973e-4650-428c-910f-09e4fc3aa4bb?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3085485%40popup-builder\u0026new=3085485%40popup-builder\u0026sfp_email=\u0026sfph_mail=#file51"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.2.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-01T06:51:49.071Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/804a973e-4650-428c-910f-09e4fc3aa4bb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3085485%40popup-builder\u0026new=3085485%40popup-builder\u0026sfp_email=\u0026sfph_mail=#file51"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-31T18:10:56.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u003c= 4.2.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2506",
"datePublished": "2024-06-01T06:51:49.071Z",
"dateReserved": "2024-03-15T14:39:48.559Z",
"dateUpdated": "2024-08-01T19:18:47.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9856 (GCVE-0-2025-9856)
Vulnerability from cvelistv5 – Published: 2025-12-13 08:21 – Updated: 2025-12-15 15:46
VLAI?
Title
Popup Builder – Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.4.1
(semver)
|
Credits
Naoya Takahashi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T15:42:44.825778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T15:46:08.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.4.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Naoya Takahashi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027sg_popup\u0027 shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-13T08:21:15.324Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/helpers/AdminHelper.php#L438"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/classes/popups/SGPopup.php#L1368"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3384281"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-12T19:31:21.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. \u003c= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9856",
"datePublished": "2025-12-13T08:21:15.324Z",
"dateReserved": "2025-09-02T15:30:05.856Z",
"dateUpdated": "2025-12-15T15:46:08.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2541 (GCVE-0-2024-2541)
Vulnerability from cvelistv5 – Published: 2024-08-29 12:31 – Updated: 2024-08-29 13:32
VLAI?
Title
Popup Builder <= 4.3.3 - Sensitive Information Exposure via Imported Subscribers CSV File
Summary
The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Information Exposure
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.3.3
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:popup_builder:popup_builder:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "popup_builder",
"vendor": "popup_builder",
"versions": [
{
"lessThanOrEqual": "4.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:26:39.256355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:32:58.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.3.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T12:31:08.911Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/086cd6a0-adb6-4e12-b34c-630297f036f3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/trunk/com/libs/Importer.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-28T23:41:29.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u003c= 4.3.3 - Sensitive Information Exposure via Imported Subscribers CSV File"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2541",
"datePublished": "2024-08-29T12:31:08.911Z",
"dateReserved": "2024-03-15T18:14:26.691Z",
"dateUpdated": "2024-08-29T13:32:58.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6696 (GCVE-0-2023-6696)
Vulnerability from cvelistv5 – Published: 2024-06-15 02:02 – Updated: 2024-08-02 08:35
VLAI?
Title
Popup Builder – Create highly converting, mobile friendly marketing popups <= 4.3.1 - Missing Authorization and Nonce Exposure
Summary
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.3.1
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T13:59:51.368858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T13:59:57.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.844Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f86ec30-7a9d-4c36-8559-bde331c8b958?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.2.3/com/classes/Ajax.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3096000/popup-builder/trunk/com/classes/Ajax.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.3.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-15T02:02:00.502Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f86ec30-7a9d-4c36-8559-bde331c8b958?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.2.3/com/classes/Ajax.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3096000/popup-builder/trunk/com/classes/Ajax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-14T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups \u003c= 4.3.1 - Missing Authorization and Nonce Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6696",
"datePublished": "2024-06-15T02:02:00.502Z",
"dateReserved": "2023-12-11T18:28:25.914Z",
"dateUpdated": "2024-08-02T08:35:14.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2544 (GCVE-0-2024-2544)
Vulnerability from cvelistv5 – Published: 2024-06-15 02:01 – Updated: 2024-08-01 19:18
VLAI?
Title
Popup Builder <= 4.3.0 - Missing Authorization in Multiple AJAX Actions
Summary
The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks.
Severity ?
7.4 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.3.0
(semver)
|
Credits
Alex Thomas
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2544",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T17:56:15.386528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T17:56:21.625Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:48.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04802c63-4a5d-4948-9ef1-cf89c4cc757e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3096000%40popup-builder%2Ftrunk\u0026old=3085485%40popup-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.3.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-15T02:01:57.798Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04802c63-4a5d-4948-9ef1-cf89c4cc757e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3096000%40popup-builder%2Ftrunk\u0026old=3085485%40popup-builder%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-15T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-14T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u003c= 4.3.0 - Missing Authorization in Multiple AJAX Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2544",
"datePublished": "2024-06-15T02:01:57.798Z",
"dateReserved": "2024-03-15T18:54:05.840Z",
"dateUpdated": "2024-08-01T19:18:48.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2506 (GCVE-0-2024-2506)
Vulnerability from cvelistv5 – Published: 2024-06-01 06:51 – Updated: 2024-08-01 19:18
VLAI?
Title
Popup Builder <= 4.2.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS
Summary
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. |
Affected:
* , ≤ 4.2.7
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T18:38:49.818677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T18:38:56.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:47.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/804a973e-4650-428c-910f-09e4fc3aa4bb?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3085485%40popup-builder\u0026new=3085485%40popup-builder\u0026sfp_email=\u0026sfph_mail=#file51"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.",
"vendor": "popupbuilder",
"versions": [
{
"lessThanOrEqual": "4.2.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-01T06:51:49.071Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/804a973e-4650-428c-910f-09e4fc3aa4bb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3085485%40popup-builder\u0026new=3085485%40popup-builder\u0026sfp_email=\u0026sfph_mail=#file51"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-31T18:10:56.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Builder \u003c= 4.2.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2506",
"datePublished": "2024-06-01T06:51:49.071Z",
"dateReserved": "2024-03-15T14:39:48.559Z",
"dateUpdated": "2024-08-01T19:18:47.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}