PT-2024-16598 · WordPress · The Popup Box – Create Countdown
Trương Hữu Phúc
·
Published
2024-11-15
·
Updated
2024-11-18
·
CVE-2024-10861
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress versions up to, and including, 4.9.7
Description
The issue is related to a missing capability check on the
deactivate plugin option() function, which allows unauthorized modification of data. This makes it possible for unauthenticated attackers to update the ays pb upgrade plugin option with arbitrary data.Recommendations
For versions up to, and including, 4.9.7, consider disabling the
deactivate plugin option() function until a patch is available. Restrict access to the ays pb upgrade plugin option to minimize the risk of exploitation. Update to a version later than 4.9.7 when available.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Popup Box – Create Countdown