Cyber Resilience

CVE-2023-46197

Medium

Published: 17 May 2024

Published
17 May 2024
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1733 95.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46197 is a medium-severity Path Traversal (CWE-22) vulnerability in Supsystic Popup. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-46197 is a path traversal vulnerability (CWE-22) affecting the Popup by Supsystic WordPress plugin from versions n/a through 1.10.19. The flaw stems from improper limitation of pathnames to restricted directories, enabling relative path traversal that can expose files outside intended boundaries.

Unauthenticated remote attackers can exploit the issue over the network with low complexity and no user interaction required. Successful exploitation grants limited confidentiality impact, specifically the disclosure of subscriber email addresses stored by the plugin, while leaving integrity and availability unaffected.

Patchstack advisories describe the vulnerability as unauthenticated subscriber email address disclosure and recommend updating the plugin beyond version 1.10.19 to remediate the path traversal flaw. The associated EPSS score has reached a peak of 0.2308 with a current value of 0.1733, indicating moderate but not sharply escalating exploitation interest since disclosure.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in supsystic.Com Popup by Supsystic allows Relative Path Traversal.This issue affects Popup by Supsystic: from n/a through 1.10.19.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

supsystic
popup
≤ 1.10.20

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References