CVE-2023-6696

Name of the Vulnerable Software and Affected Versions The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress versions up to, and including, 4.3.1

Description The issue arises from a missing capability check on several functions, allowing unauthorized access to functionality. Although some functions include a nonce check, the nonce can be obtained from the profile page of a logged-in user. This enables subscribers to perform actions such as deleting subscribers and conducting blind Server-Side Request Forgery.

Recommendations For versions up to, and including, 4.3.1, update to a version higher than 4.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the functions that contain the missing capability check until a patch is available. Additionally, restrict access to the profile page of logged-in users to minimize the risk of nonce exploitation.