What the vulnerability does
01Description
The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.
Explanation of Vulnerability in Simple Terms
02Summary
Depicter Popup & Slider Builder versions 4.0.7 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify site content. An attacker can send network requests to alter popups or sliders without needing to log in or interact with a user. This affects the integrity of published content but does not expose sensitive data or take the site offline.
What an attacker can do
03Attacker Capabilities
Modify popups and sliders on the site without logging in.
Potential impact on your site
04Site Impact
Attackers can deface or alter popup and slider content visible to your visitors.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 6, 2026
CVE published
April 8, 2026
Record updated