CVE-2024-9061 Scanner
CVE-2024-9061 scanner - Code Injection vulnerability in WP Popup Builder Popup Forms and Marketing Lead Generation
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
29 days
Scan only one
Domain, IPv4
Toolbox
-
The WP Popup Builder Popup Forms and Marketing Lead Generation plugin is widely used in WordPress sites for creating customizable popups and lead capture forms. Marketers and site administrators utilize this tool to generate leads, increase engagement, and enhance user interactivity. It is particularly popular for its easy-to-integrate marketing functionalities and wide range of customizable templates. With its flexible settings, users can adapt popup designs to match brand themes and goals. The plugin is supported by ThemeHunk and is actively updated to meet modern marketing needs.
This vulnerability allows attackers to inject and execute arbitrary shortcodes on WordPress sites running the WP Popup Builder plugin. Due to improper validation in the wp_ajax_nopriv_shortcode_Api_Add AJAX action, unauthenticated users can abuse the do_shortcode functionality to insert unwanted code. This exploit compromises the security of the site, potentially revealing sensitive information or enabling unauthorized actions. The severity level is high, making it crucial for affected sites to take preventive measures immediately.
The vulnerability stems from a flaw in the wp_ajax_nopriv_shortcode_Api_Add AJAX action, which lacks adequate validation for user input. This allows unauthenticated attackers to send specially crafted POST requests that trigger the do_shortcode function, thereby executing arbitrary code. The specific endpoint affected is /wp-admin/admin-ajax.php
with a payload action of shortcode_Api_Add. The vulnerability is present due to the insufficient handling of the shortcode input, making it susceptible to code injection. Successful exploitation results in the site executing arbitrary shortcodes, potentially allowing further attacks.
Exploitation of this vulnerability could lead to severe security risks, including unauthorized access to sensitive site areas, manipulation of site content, or data disclosure. Additionally, attackers could use this vulnerability to implant backdoors, create unwanted popups or redirects, or inject malicious content. Such compromises may impact site credibility, result in data breaches, and lead to SEO penalties if malicious code is embedded on the website.
By using S4E’s advanced scanning platform, you gain unparalleled insights into potential security threats before they become severe. Our scanners detect various vulnerabilities, misconfigurations, and cyber risks across digital assets, helping you maintain a secure online presence. With automated scans and comprehensive reports, the platform simplifies vulnerability management and enables swift remediation actions. S4E empowers you to take proactive security measures, ensuring your site’s reliability, integrity, and trustworthiness. Become a member today to experience unmatched protection for your online assets.
References: