Popup Maker Boost Sales Conversions Optins Subscribers With The Ultimate Wp Popup Builder
Monthly
Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.