CVE-2020-10195: 
WordPress vulnerability analysis and mitigation

The Popup Builder WordPress plugin before version 3.64.1 contained a vulnerability (CVE-2020-10195) that allowed information disclosure and settings modification. This vulnerability affected over 100,000 WordPress websites and was discovered in March 2020. The plugin, developed by Sygnoos, is designed for creating and managing promotional modal pop-ups for WordPress blogs and websites (SecurityWeek).

The vulnerability has a CVSS v3.1 base score of 6.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The issue stems from insufficient security checks in admin-post actions within com/classes/Actions.php. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows authenticated attackers with minimal (subscriber-level) permissions to modify plugin settings, export newsletter subscriber lists, and obtain sensitive system configuration information including webserver configuration and installed plugins. This could lead to in-scope privilege escalation and unauthorized access to plugin functionality (SecurityWeek).

The vulnerability was patched in Popup Builder version 3.64.1, released on March 11, 2020. Site administrators are strongly advised to update to this version or later to protect against potential exploitation. The fix was released within a week of the vulnerability being reported to the developer (SecurityWeek).

While no malicious exploitation was detected in the wild, security researchers emphasized the serious potential impact of the vulnerability. As of the initial disclosure, approximately 33,000 users had updated to the patched version, leaving an estimated 66,000 sites still vulnerable (BleepingComputer).