CVE-2024-12158
📋 TL;DR
This vulnerability allows unauthenticated attackers to delete database data in the Ultimate Popup Creator WordPress plugin. Any WordPress site using vulnerable versions of this plugin is affected, potentially causing loss of popup configuration and subscriber data.
💻 Affected Systems
- Popup – MailChimp, GetResponse and ActiveCampaign Intergrations (Ultimate Popup Creator)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of all plugin data including popup configurations and subscriber lists, potentially disrupting marketing campaigns and requiring full plugin reconfiguration.
Likely Case
Attackers delete plugin database tables, causing popups to stop functioning and requiring administrator intervention to restore from backups.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary service disruption until data restoration.
🎯 Exploit Status
Simple AJAX endpoint exploitation requiring no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.7 or later
Vendor Advisory: https://wordpress.org/plugins/ultimate-popup-creator/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultimate Popup Creator' and click 'Update Now'. 4. Verify plugin version is 3.2.7 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allAdd code to functions.php to remove the vulnerable AJAX action handler
add_action('init', function() { remove_action('wp_ajax_upc_delete_db_data', 'upc_delete_db_data'); remove_action('wp_ajax_nopriv_upc_delete_db_data', 'upc_delete_db_data'); });
Deactivate plugin
linuxTemporarily disable the plugin until patched
wp plugin deactivate ultimate-popup-creator
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to wp-admin/admin-ajax.php with 'upc_delete_db_data' action parameter
- Restrict access to wp-admin/admin-ajax.php to authenticated users only via .htaccess or web server configuration
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Ultimate Popup Creator version 3.2.6 or earlierCheck Version:
wp plugin list --name='ultimate-popup-creator' --field=versionVerify Fix Applied:
Verify plugin version shows 3.2.7 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=upc_delete_db_data' parameter from unauthenticated users
- Database DELETE operations on tables containing 'upc_' prefix
Network Indicators:
- HTTP POST requests to admin-ajax.php with suspicious action parameters
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="upc_delete_db_data"