CVE-2024-9061

Name of the Vulnerable Software and Affected Versions The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress versions up to 1.3.5

Description The issue allows arbitrary shortcode execution via the wp ajax nopriv shortcode Api Add AJAX action. This is due to the software allowing users to execute an action that does not properly validate a value before running do shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Recommendations For versions up to 1.3.5, update to version 1.3.6, which incorporates the correct authorization check to prevent unauthorized access. As a temporary workaround, consider restricting access to the wp ajax nopriv shortcode Api Add AJAX action until a patch is available.