Cyber Resilience

CVE-2023-3186

CriticalPublic PoC

Published: 17 July 2023

Published
17 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0606 90.9th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3186 is a critical-severity an unspecified weakness vulnerability in Supsystic Popup. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Popup by Supsystic WordPress plugin before version 1.10.19 contains a prototype pollution vulnerability that permits an attacker to inject arbitrary properties into Object.prototype. The flaw affects this specific plugin component and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input that pollutes the JavaScript prototype chain, enabling manipulation of application behavior and potentially leading to arbitrary code execution or data compromise within the WordPress environment.

Public references from WPScan document the issue and indicate that updating the plugin to version 1.10.19 or later addresses the vulnerability. The associated EPSS score remains at 0.0606 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

supsystic
popup
≤ 1.10.19

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References