CVE-2024-2008

Name of the Vulnerable Software and Affected Versions The Modal Popup Box – Popup Builder, Show Offers And News in Popup plugin for WordPress versions up to, and including, 1.5.2

Description The issue allows authenticated attackers with contributor-level access and above to inject a PHP Object via deserialization of untrusted input in the awl modal popup box shortcode function. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For versions up to, and including, 1.5.2, consider disabling the awl modal popup box shortcode function until a patch is available to prevent PHP Object Injection. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with contributor-level access and above.