Matix Popup Builder CVE-2024-52382
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in medmatech Matix Popup Builder medma-matix allows Privilege Escalation.This issue affects Matix Popup Builder: from n/a through <= 1.0.0.
AnalysisAI
Privilege escalation in medmatech Matix Popup Builder WordPress plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to gain elevated privileges by abusing missing authorization checks. With a CVSS score of 9.8 and an EPSS score of 13.56% (94th percentile), this represents elevated exploitation risk relative to typical CVEs, though no public exploit identified at time of analysis.
Technical ContextAI
Matix Popup Builder (medma-matix) is a WordPress plugin developed by medmatech for creating popup elements on WordPress sites. The root cause is CWE-862 (Missing Authorization), where the plugin fails to perform proper authorization checks before allowing privileged operations. In WordPress plugins, this class of vulnerability typically arises when AJAX endpoints, REST API routes, or admin-post handlers omit capability checks (such as current_user_can()) or nonce verification, exposing administrative functions to unauthenticated requests. The result is that operations intended for administrators become reachable by lower-privileged or anonymous users, enabling privilege escalation.
Affected ProductsAI
The vulnerability affects medmatech Matix Popup Builder (slug: medma-matix) WordPress plugin in all versions from initial release through and including version 1.0.0. The advisory was issued by Patchstack (audit@patchstack.com). No vendor-supplied CPE string was provided in the available intelligence, and no fixed version has been identified in the source data.
RemediationAI
No vendor-released patch identified at time of analysis - the affected range explicitly extends through the latest available version 1.0.0 with no fixed version listed. Site operators should immediately deactivate and remove the Matix Popup Builder plugin from WordPress installations until medmatech publishes a patched release; uninstalling will eliminate popup functionality provided by this plugin, requiring an alternative popup solution if this feature is business-critical. As compensating controls, restrict access to wp-admin/admin-ajax.php and the plugin's REST/AJAX endpoints via a WAF rule or .htaccess block on the medma-matix paths, monitor for unexpected new administrator accounts or role changes via WordPress audit logging, and subscribe to the Patchstack advisory feed for fix-availability notifications.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today