Search criteria
12 vulnerabilities found for newsletter_popup by mndpsingh287
FKIE_CVE-2024-3644
Vulnerability from fkie_nvd - Published: 2024-05-16 06:15 - Updated: 2025-05-19 14:32
Severity ?
Summary
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mndpsingh287 | newsletter_popup | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mndpsingh287:newsletter_popup:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DE5BC495-D0CB-4332-A5DB-A4E391D66992",
"versionEndIncluding": "1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
},
{
"lang": "es",
"value": "El complemento Newsletter Popup de WordPress hasta la versi\u00f3n 1.2 no desinfecta ni escapa a algunas de sus configuraciones, lo que podr\u00eda permitir que usuarios con privilegios elevados, como el administrador, realicen ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio)."
}
],
"id": "CVE-2024-3644",
"lastModified": "2025-05-19T14:32:20.610",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-16T06:15:10.370",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-3643
Vulnerability from fkie_nvd - Published: 2024-05-16 06:15 - Updated: 2025-05-19 14:32
Severity ?
Summary
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mndpsingh287 | newsletter_popup | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mndpsingh287:newsletter_popup:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DE5BC495-D0CB-4332-A5DB-A4E391D66992",
"versionEndIncluding": "1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack"
},
{
"lang": "es",
"value": "El complemento Newsletter Popup de WordPress hasta la versi\u00f3n 1.2 no tiene verificaci\u00f3n CSRF al eliminar la lista, lo que podr\u00eda permitir a los atacantes hacer que los administradores registrados realicen dicha acci\u00f3n a trav\u00e9s de un ataque CSRF."
}
],
"id": "CVE-2024-3643",
"lastModified": "2025-05-19T14:32:56.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-16T06:15:10.053",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-3642
Vulnerability from fkie_nvd - Published: 2024-05-16 06:15 - Updated: 2025-05-19 14:33
Severity ?
Summary
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mndpsingh287 | newsletter_popup | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mndpsingh287:newsletter_popup:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DE5BC495-D0CB-4332-A5DB-A4E391D66992",
"versionEndIncluding": "1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack"
},
{
"lang": "es",
"value": "El complemento Newsletter Popup de WordPress hasta la versi\u00f3n 1.2 no tiene verificaci\u00f3n CSRF al eliminar suscriptores, lo que podr\u00eda permitir a los atacantes hacer que los administradores registrados realicen dicha acci\u00f3n a trav\u00e9s de un ataque CSRF."
}
],
"id": "CVE-2024-3642",
"lastModified": "2025-05-19T14:33:12.817",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-16T06:15:09.770",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-3641
Vulnerability from fkie_nvd - Published: 2024-05-16 06:15 - Updated: 2025-05-19 14:33
Severity ?
Summary
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/f4047f1e-d5ea-425f-8def-76dd5e6a497e/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/f4047f1e-d5ea-425f-8def-76dd5e6a497e/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mndpsingh287 | newsletter_popup | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mndpsingh287:newsletter_popup:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DE5BC495-D0CB-4332-A5DB-A4E391D66992",
"versionEndIncluding": "1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins"
},
{
"lang": "es",
"value": "El complemento Newsletter Popup de WordPress hasta la versi\u00f3n 1.2 no desinfecta ni escapa algunos par\u00e1metros, lo que podr\u00eda permitir que visitantes no autenticados realicen ataques de Cross-Site Scripting contra administradores."
}
],
"id": "CVE-2024-3641",
"lastModified": "2025-05-19T14:33:38.033",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-16T06:15:08.703",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/f4047f1e-d5ea-425f-8def-76dd5e6a497e/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/f4047f1e-d5ea-425f-8def-76dd5e6a497e/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-3644 (GCVE-0-2024-3644)
Vulnerability from cvelistv5 – Published: 2024-05-16 06:00 – Updated: 2024-11-20 17:41
VLAI?
Title
Newsletter Popup <= 1.2 - Admin+ Stored XSS
Summary
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Newsletter Popup |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T15:05:57.231076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:41:01.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Newsletter Popup",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T06:00:03.032Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Newsletter Popup \u003c= 1.2 - Admin+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3644",
"datePublished": "2024-05-16T06:00:03.032Z",
"dateReserved": "2024-04-10T20:59:15.164Z",
"dateUpdated": "2024-11-20T17:41:01.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3643 (GCVE-0-2024-3643)
Vulnerability from cvelistv5 – Published: 2024-05-16 06:00 – Updated: 2024-08-12 18:24
VLAI?
Title
Newsletter Popup <= 1.2 - List Deletion via CSRF
Summary
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Newsletter Popup |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:newsletter_popup_project:newsletter_popup:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "affected",
"product": "newsletter_popup",
"vendor": "newsletter_popup_project",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3643",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T18:21:01.416499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T18:24:48.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Newsletter Popup",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T06:00:02.799Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Newsletter Popup \u003c= 1.2 - List Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3643",
"datePublished": "2024-05-16T06:00:02.799Z",
"dateReserved": "2024-04-10T20:58:41.292Z",
"dateUpdated": "2024-08-12T18:24:48.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3642 (GCVE-0-2024-3642)
Vulnerability from cvelistv5 – Published: 2024-05-16 06:00 – Updated: 2025-03-27 15:24
VLAI?
Title
Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF
Summary
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack
Severity ?
6.9 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Newsletter Popup |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3642",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T15:55:34.224499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:24:05.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:19:59.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Newsletter Popup",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T06:00:02.572Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Newsletter Popup \u003c= 1.2 - Subscriber Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3642",
"datePublished": "2024-05-16T06:00:02.572Z",
"dateReserved": "2024-04-10T20:58:17.624Z",
"dateUpdated": "2025-03-27T15:24:05.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3641 (GCVE-0-2024-3641)
Vulnerability from cvelistv5 – Published: 2024-05-16 06:00 – Updated: 2025-03-13 13:00
VLAI?
Title
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
Summary
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins
Severity ?
6.1 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Newsletter Popup |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3641",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T15:56:51.515011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T13:00:44.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:19:59.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/f4047f1e-d5ea-425f-8def-76dd5e6a497e/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Newsletter Popup",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T06:00:01.973Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/f4047f1e-d5ea-425f-8def-76dd5e6a497e/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Newsletter Popup \u003c= 1.2 - Unauthenticated Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3641",
"datePublished": "2024-05-16T06:00:01.973Z",
"dateReserved": "2024-04-10T20:57:40.503Z",
"dateUpdated": "2025-03-13T13:00:44.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3644 (GCVE-0-2024-3644)
Vulnerability from nvd – Published: 2024-05-16 06:00 – Updated: 2024-11-20 17:41
VLAI?
Title
Newsletter Popup <= 1.2 - Admin+ Stored XSS
Summary
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Newsletter Popup |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3644",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T15:05:57.231076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:41:01.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Newsletter Popup",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T06:00:03.032Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Newsletter Popup \u003c= 1.2 - Admin+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3644",
"datePublished": "2024-05-16T06:00:03.032Z",
"dateReserved": "2024-04-10T20:59:15.164Z",
"dateUpdated": "2024-11-20T17:41:01.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3643 (GCVE-0-2024-3643)
Vulnerability from nvd – Published: 2024-05-16 06:00 – Updated: 2024-08-12 18:24
VLAI?
Title
Newsletter Popup <= 1.2 - List Deletion via CSRF
Summary
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Newsletter Popup |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:newsletter_popup_project:newsletter_popup:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "affected",
"product": "newsletter_popup",
"vendor": "newsletter_popup_project",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3643",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T18:21:01.416499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T18:24:48.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Newsletter Popup",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T06:00:02.799Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Newsletter Popup \u003c= 1.2 - List Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3643",
"datePublished": "2024-05-16T06:00:02.799Z",
"dateReserved": "2024-04-10T20:58:41.292Z",
"dateUpdated": "2024-08-12T18:24:48.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3642 (GCVE-0-2024-3642)
Vulnerability from nvd – Published: 2024-05-16 06:00 – Updated: 2025-03-27 15:24
VLAI?
Title
Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF
Summary
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack
Severity ?
6.9 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Newsletter Popup |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3642",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T15:55:34.224499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:24:05.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:19:59.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Newsletter Popup",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T06:00:02.572Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Newsletter Popup \u003c= 1.2 - Subscriber Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3642",
"datePublished": "2024-05-16T06:00:02.572Z",
"dateReserved": "2024-04-10T20:58:17.624Z",
"dateUpdated": "2025-03-27T15:24:05.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3641 (GCVE-0-2024-3641)
Vulnerability from nvd – Published: 2024-05-16 06:00 – Updated: 2025-03-13 13:00
VLAI?
Title
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
Summary
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins
Severity ?
6.1 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Newsletter Popup |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3641",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T15:56:51.515011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T13:00:44.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:19:59.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/f4047f1e-d5ea-425f-8def-76dd5e6a497e/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Newsletter Popup",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T06:00:01.973Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/f4047f1e-d5ea-425f-8def-76dd5e6a497e/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Newsletter Popup \u003c= 1.2 - Unauthenticated Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3641",
"datePublished": "2024-05-16T06:00:01.973Z",
"dateReserved": "2024-04-10T20:57:40.503Z",
"dateUpdated": "2025-03-13T13:00:44.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}