Plattform
wordpress
Komponente
wp-popup-builder
Behoben in
1.3.6
CVE-2024-9061 is a vulnerability affecting the WP Popup Builder plugin for WordPress, allowing for arbitrary shortcode execution. This flaw stems from inadequate input validation within the wpajaxnoprivshortcodeApi_Add AJAX action. Successful exploitation could lead to unauthorized modifications to website content and functionality. Versions of the plugin up to and including 1.3.5 are vulnerable, with a fix released in version 1.3.6.
An attacker exploiting CVE-2024-9061 can inject and execute arbitrary shortcodes on a WordPress website running the vulnerable plugin. Shortcodes are powerful WordPress features that can embed various functionalities, including custom content, scripts, and even malicious code. This could result in website defacement, redirection to malicious sites, or the execution of arbitrary PHP code, potentially leading to complete server compromise. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers.
CVE-2024-9061 was publicly disclosed on 2024-10-16. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the plugin's popularity suggest a potential for widespread attacks. Public proof-of-concept code may emerge, further increasing the risk. This vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the WP Popup Builder plugin, particularly those running older versions (≤1.3.5), are at risk. Shared hosting environments are especially vulnerable as they often lack granular plugin management controls, making it easier for attackers to exploit vulnerabilities across multiple sites.
• wordpress / composer / npm:
grep -r 'wp_ajax_nopriv_shortcode_Api_Add' /var/www/html/wp-content/plugins/wp-popup-builder/• wordpress / composer / npm:
wp plugin list --status=all | grep 'wp-popup-builder'• wordpress / composer / npm:
wp plugin update wp-popup-builder --alldisclosure
Exploit-Status
EPSS
89.00% (100% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9061 is to immediately upgrade the WP Popup Builder plugin to version 1.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a nonce check was introduced in version 1.3.5, it only partially addressed the vulnerability, so upgrading to 1.3.6 is still essential. Monitor WordPress access logs for suspicious AJAX requests targeting the wpajaxnoprivshortcodeApi_Add endpoint.
Actualice el plugin WP Popup Builder a la versión 1.3.6 o superior. Esta versión corrige la vulnerabilidad de ejecución de shortcodes arbitrarios no autenticados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9061 is a vulnerability in the WP Popup Builder plugin for WordPress that allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
Yes, if you are using WP Popup Builder version 1.3.5 or earlier, you are vulnerable to this arbitrary shortcode execution vulnerability.
Upgrade the WP Popup Builder plugin to version 1.3.6 or later to remediate the vulnerability. If upgrading is not immediately possible, temporarily disable the plugin.
While no active exploitation campaigns have been definitively confirmed, the ease of exploitation suggests a potential for widespread attacks.
Refer to the official WP Popup Builder website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.