CVE-2024-2544
📋 TL;DR
The Popup Builder WordPress plugin has a missing capability check on all AJAX actions, allowing authenticated attackers with subscriber-level access or higher to modify and delete data without authorization. This vulnerability enables actions like deleting subscribers and importing malicious content for stored cross-site scripting attacks. All WordPress sites using the vulnerable plugin versions are affected.
💻 Affected Systems
- Popup Builder WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete all subscriber data, inject persistent XSS payloads affecting all site visitors, and potentially escalate privileges or compromise the entire WordPress installation.
Likely Case
Subscriber data loss or corruption through unauthorized deletion, and stored XSS attacks affecting site visitors through malicious popup content.
If Mitigated
Limited impact if proper access controls and input validation are already in place, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires authenticated access (subscriber role or higher). The vulnerability is in all AJAX endpoints, making exploitation straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3096000%40popup-builder%2Ftrunk&old=3085485%40popup-builder%2Ftrunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Popup Builder and click 'Update Now'. 4. Verify version is 4.3.0 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the Popup Builder plugin until patched
wp plugin deactivate popup-builder
Restrict User Registration
allDisable new user registration to prevent attacker account creation
Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict access controls and monitor all AJAX requests to the plugin
- Regularly audit and remove any suspicious subscriber accounts or imported content
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Popup Builder versionCheck Version:
wp plugin get popup-builder --field=versionVerify Fix Applied:
Verify Popup Builder version is 4.3.0 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to popup-builder endpoints from subscriber accounts
- Multiple subscriber deletions or imports in short timeframes
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action parameters containing 'sgpb_' prefix
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "sgpb_")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3096000%40popup-builder%2Ftrunk&old=3085485%40popup-builder%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/04802c63-4a5d-4948-9ef1-cf89c4cc757e?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3096000%40popup-builder%2Ftrunk&old=3085485%40popup-builder%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/04802c63-4a5d-4948-9ef1-cf89c4cc757e?source=cve
