CVE-2024-12158: 
WordPress vulnerability analysis and mitigation

The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress (versions up to 3.2.6) contains a vulnerability identified as CVE-2024-12158. The vulnerability was disclosed on January 7, 2025, and involves unauthorized loss of data due to a missing capability check on the 'upcdeletedb_data' AJAX action. This security issue affects the plugin's database data management functionality (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 5.3 (Medium). The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, and requires no user interaction. The vulnerability specifically affects the AJAX action 'upcdeletedb_data' which lacks proper capability checks (Wordfence).

The vulnerability allows unauthenticated attackers to delete the database data for the plugin, potentially causing loss of configuration settings and stored information. This could lead to service disruption and unauthorized modification of plugin data (NVD).

As of January 7, 2025, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue. Users are advised to remove the plugin from their WordPress installations until a secure alternative can be implemented (WordPress).