cleantalk
Vulnerabilities and Security Researches

WP Popup Builder – Popup Forms and Marketing Lead Generation, CVE-2024-9061

CVE, Research URL

CVE-2024-9061

Home page URL

Security reports for WP Popup Builder – Popup Forms and Marketing Lead Generation

Application

WP Popup Builder – Popup Forms and Marketing Lead Generation

Published on
Oct 16, 2024
Research Description
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
Affected versions
max 1.3.6.
Status
vulnerable
Previous vulnerability researches
WP Popup Builder – Popup Forms and Marketing Lead Generation (CVE-2024-9061) , Oct 17, 2024
WP Popup Builder – Popup Forms and Marketing Lead Generation (CVE-2025-62902) , Nov 11, 2025
WP Popup Builder – Popup Forms and Marketing Lead Generation (CVE-2022-2405) , Jun 07, 2024
WP Popup Builder – Popup Forms and Marketing Lead Generation (CVE-2022-2404) , Jun 07, 2024
New vulnerability
Pets (CVE-2025-52742) , Nov 11, 2025
WordPress Live Webcam Widget & Shortcode (CVE-2025-10129) , Nov 11, 2025
Free Follow-Up Emails & Marketing Automation for WooCommerce – ShopMagic (CVE-2025-59578) , Nov 11, 2025
Find And Replace content for WordPress (CVE-2025-10313) , Nov 11, 2025
Master Blocks – Ultimate Gutenberg Blocks for Marketers (CVE-2025-10896) , Nov 11, 2025