CVE-2020-10196: 
WordPress vulnerability analysis and mitigation

A high-severity stored cross-site scripting (XSS) vulnerability was discovered in the Popup Builder WordPress plugin versions before 3.64.1. The vulnerability, identified as CVE-2020-10196, affected over 100,000 WordPress websites and was disclosed on March 13, 2020. The plugin, which helps create and manage promotional modal pop-ups for WordPress blogs and websites, included functionality to run custom JavaScript code when pop-ups are loaded (SecurityWeek).

The vulnerability has a CVSS score of 8.3 (High) and stems from an AJAX hook intended for auto-saving draft pop-ups that was exposed to unprivileged users. The function called by the hook lacked both nonce checks and capability checks. This allowed unauthenticated attackers to send POST requests to wp-admin/admin-ajax.php containing malicious JavaScript payloads, which would then be saved to the pop-up's settings and executed whenever the pop-up was displayed on a page (SecurityWeek).

The vulnerability could be exploited to redirect users to malvertising sites, steal information, or potentially achieve complete site takeover if the infected pop-up was displayed to a logged-in administrator. The widespread nature of the plugin, with over 100,000 installations, made this vulnerability particularly concerning (SecurityWeek).

The vulnerability was reported to the plugin's developer on March 5, 2020, and was fully patched in version 3.64.1, released on March 11, 2020. Users were advised to update to this version immediately to protect their websites from potential attacks (SecurityWeek).