6.5
CVE-2020-10195
- EPSS 0.46%
- Veröffentlicht 13.03.2020 16:15:12
- Zuletzt bearbeitet 07.05.2025 15:42:53
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginPopup Builder <= 3.63 - Authenticated Settings Modification, Configuration Disclosure, and User Data Export
The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to in-scope privilege escalation via admin-post actions to com/classes/Actions.php. By sending a POST request to wp-admin/admin-post.php, an authenticated attacker with minimal (subscriber-level) permissions can modify the plugin's settings to allow arbitrary roles (including subscribers) access to plugin functionality by setting the action parameter to sgpbSaveSettings, export a list of current newsletter subscribers by setting the action parameter to csv_file, or obtain system configuration information including webserver configuration and a list of installed plugins by setting the action parameter to sgpb_system_info.
Mögliche Gegenmaßnahme
Popup Builder – Create highly converting, mobile friendly marketing popups.: Update to version 3.64.1, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Popup Builder – Create highly converting, mobile friendly marketing popups.
Version
*-3.63
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Sygnoos ≫ Popup Builder SwPlatformwordpress Version < 3.64.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.46% | 0.633 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.3 | 2.8 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.