Skip to main content

Popup Builder CVE-2021-24152

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2021-04-05 contact@wpscan.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 05, 2021 - 19:15 nvd
MEDIUM 6.1

DescriptionNVD

The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting.

AnalysisAI

The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. Affected products include: Sygnoos Popup Builder.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-6000 MEDIUM POC
6.1 Jan 01

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and inje

CVE-2022-0479 CRITICAL POC
9.8 Mar 28

The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter be

CVE-2020-9006 CRITICAL POC
9.8 Feb 17

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups funct

CVE-2022-0228 HIGH POC
7.2 Feb 21

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters b

CVE-2020-10195 MEDIUM POC
6.3 Mar 13

The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to

CVE-2020-10196 MEDIUM POC
6.1 Mar 13

An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary

CVE-2019-14695 CRITICAL
9.8 Aug 06

A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress. Rated critical sever

CVE-2024-3236 MEDIUM POC
5.4 Jun 17

The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which cou

CVE-2024-9428 MEDIUM POC
4.8 Dec 12

The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow hig

CVE-2023-3226 MEDIUM POC
4.8 Sep 25

The Popup Builder WordPress plugin before 4.2.0 does not sanitise and escape some of its settings, which could allow hig

CVE-2022-1894 MEDIUM POC
4.8 Jul 11

The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high priv

CVE-2022-29495 MEDIUM POC
4.3 Jul 22

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacke

Share

CVE-2021-24152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy