Popup Builder
CVE-2024-2541
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers.
AnalysisAI
The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the Subscribers Import feature. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers. Affected products include: Sygnoos Popup Builder.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Popup Builder
View allThe Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and inje
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter be
The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups funct
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters b
The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to
An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary
A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress. Rated critical sever
The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which cou
The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow hig
The Popup Builder WordPress plugin before 4.2.0 does not sanitise and escape some of its settings, which could allow hig
The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high priv
Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacke
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today