CVE-2024-2541 MEDIUM

CVE-2024-2541: Popup Builder <= 4.3.6 - Sensitive Information Exposure via Imported Subscribers CSV File

Vendor Popupbuilder
Product Popup Builder – Create highly converting, mobile friendly marketing popups.
Weakness CWE-200 · Info exposure
Published August 29, 2024
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers.

Key dates

02Disclosure timeline

August 29, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE