CVE-2024-9061
Published: 16 October 2024
Summary
CVE-2024-9061 is a high-severity Code Injection (CWE-94) vulnerability in Themehunk Wp Popup Builder. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to and including 1.3.5. The flaw exists in the wp_ajax_nopriv_shortcode_Api_Add AJAX action, which invokes do_shortcode without properly validating input, corresponding to CWE-94 and carrying a CVSS 3.1 score of 7.3.
Unauthenticated attackers can send crafted requests to the AJAX endpoint and cause the plugin to execute arbitrary shortcodes, resulting in limited impacts to confidentiality, integrity, and availability.
The referenced Wordfence advisory and WordPress plugin changeset indicate that version 1.3.5 added a nonce check that partially blocked the issue, while version 1.3.6 introduced the required authorization check to fully prevent unauthorized access. The EPSS score has reached a peak of 0.8964 with a current value of 0.8900.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49698
Vulnerability details
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software…
more
allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.