CVE-2020-10196

Name of the Vulnerable Software and Affected Versions popup-builder plugin versions prior to 3.64.1

Description The issue allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. An unauthenticated attacker can insert malicious JavaScript in several of the popup's fields by sending a request to "wp-admin/admin-ajax.php" with the POST action parameter of sgpb autosave and including additional data in an allPopupData parameter, which includes the popup's ID and arbitrary JavaScript. This injection typically bypasses most WAF applications because the plugin functionality automatically adds script tags to data entered into these fields.

Recommendations For versions prior to 3.64.1, update to version 3.64.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-ajax.php" endpoint with the sgpb autosave action parameter to minimize the risk of exploitation. Avoid using the allPopupData parameter in the affected API endpoint until the issue is resolved.