CVE-2023-3186 – This CVE describes a prototype pollution vulner... (How to Fix)

Q: What is the severity of CVE-2023-3186?

CVE-2023-3186 has a CVSS score of 9.8 (CRITICAL). This CVE describes a prototype pollution vulnerability in the Popup by Supsystic WordPress plugin. Attackers can inject arbitrary properties into Object.prototype, potentially leading to remote code execution or privilege escalation. All WordPress sites running vulnerable versions of this plugin are affected.

📋 TL;DR

This CVE describes a prototype pollution vulnerability in the Popup by Supsystic WordPress plugin. Attackers can inject arbitrary properties into Object.prototype, potentially leading to remote code execution or privilege escalation. All WordPress sites running vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Popup by Supsystic WordPress Plugin

Versions: All versions before 1.10.19

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Popup by Supsystic

View all CVEs affecting Popup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete site compromise, data theft, and server takeover.

🟠

Likely Case

Privilege escalation allowing attackers to gain administrative access to WordPress sites.

🟢

If Mitigated

Limited impact if proper input validation and security controls prevent exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Prototype pollution vulnerabilities are often easily exploitable with publicly available techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.19

Vendor Advisory: https://wordpress.org/plugins/popup-by-supsystic/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Popup by Supsystic' and click 'Update Now'. 4. Verify version is 1.10.19 or later.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate popup-by-supsystic

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block prototype pollution attempts
Restrict plugin access to authenticated users only if possible

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Popup by Supsystic version.

Check Version:

wp plugin get popup-by-supsystic --field=version

Verify Fix Applied:

Verify plugin version is 1.10.19 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to plugin endpoints
Multiple failed exploitation attempts

Network Indicators:

HTTP requests with unusual object property injections

SIEM Query:

source="wordpress" AND (plugin="popup-by-supsystic" OR uri="/wp-content/plugins/popup-by-supsystic/")

📊 Metadata

CVE ID: CVE-2023-3186

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: July 17, 2023

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/545007fc-3173-47b1-82c4-ed3fd1247b9c Exploit,Third Party Advisory
https://wpscan.com/vulnerability/545007fc-3173-47b1-82c4-ed3fd1247b9c Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON