CVE-2025-11370 MEDIUM

CVE-2025-11370: Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates

Vendor Averta
Product Depicter — Popup & Slider Builder
Weakness CWE-862 · Missing authorization
Published January 6, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.

Explanation of Vulnerability in Simple Terms

02Summary

Depicter Popup & Slider Builder versions 4.0.7 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify site content. An attacker can send network requests to alter popups or sliders without needing to log in or interact with a user. This affects the integrity of published content but does not expose sensitive data or take the site offline.

What an attacker can do

03Attacker Capabilities

Modify popups and sliders on the site without logging in.

Potential impact on your site

04Site Impact

Attackers can deface or alter popup and slider content visible to your visitors.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 6, 2026 CVE published
April 8, 2026 Record updated