CVE-2022-2405: 
WordPress vulnerability analysis and mitigation

The WP Popup Builder WordPress plugin before version 1.3.0 contains a security vulnerability identified as CVE-2022-2405. The vulnerability was discovered by Krzysztof Zając and publicly disclosed on September 5, 2022. This security issue affects the plugin's AJAX functionality, specifically impacting installations of WP Popup Builder versions prior to 1.3.0 (WPScan).

The vulnerability stems from missing authorization and CSRF (Cross-Site Request Forgery) checks in an AJAX action. The issue has been assigned a CVSS v3 base score of 4.3 (Medium), with an impact score of 1.4 and exploitability score of 2.8. The vulnerability is classified under CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control (WPScan, AttackerKB).

The vulnerability allows any authenticated user, including those with low-privilege roles such as subscribers, to delete arbitrary popups from the website. This can lead to unauthorized modification of website content and potential disruption of intended popup functionality (WPScan).

The vulnerability has been fixed in WP Popup Builder version 1.3.0. Website administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).