CVE-2019-17574

high-risk
Published 2019-10-14

An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").

Do I need to act?

!
86.9% chance of exploitation in next 30 days
EPSS score — higher than 13% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Popup Maker

Affected Vendors

Code-Atlantic

References (6)

Exploit http://blog.redyops.com/wordpress-plugin-popup-maker/
Release Notes https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md
Third Party Advisory https://wpvulndb.com/vulnerabilities/9907
Exploit http://blog.redyops.com/wordpress-plugin-popup-maker/
Release Notes https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md
Third Party Advisory https://wpvulndb.com/vulnerabilities/9907
56
/ 100
high-risk
Severity 31/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal