CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records.
Explanation of Vulnerability in Simple Terms
The Popup Builder plugin for WordPress contains a missing authorization flaw that allows authenticated users with low privileges to modify popup content and settings they should not have access to. An attacker with a basic user account can alter popup configurations, potentially affecting site functionality and user experience. The vulnerability requires an active WordPress user account but no additional user interaction. Update to a version newer than 2.2.0 to resolve this issue.
What an attacker can do
Modify popup content and settings without proper authorization.
Potential impact on your site
Unauthorized users can alter popup behavior, potentially disrupting marketing campaigns or user experience.
Conditions required to exploit
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor).
Key dates
External resources
Related vulnerabilities
