CVE-2024-2541: 
WordPress vulnerability analysis and mitigation

The Popup Builder plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-2541) affecting all versions up to and including 4.3.3. The vulnerability was discovered and disclosed on August 29, 2024. The affected component is the Subscribers Import feature, which impacts the WordPress plugin developed by Sygnoos (NVD).

The vulnerability allows unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as HIGH with a base score of 7.5 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), while Wordfence assigns it a MEDIUM severity with a base score of 5.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

When exploited, this vulnerability can lead to the exposure of subscribers' personally identifiable information (PII), including first names, last names, email addresses, and potentially other sensitive data. The impact is particularly significant as it affects unauthenticated access to subscriber information that should be protected (NVD).

Users of the Popup Builder WordPress plugin should upgrade to a version newer than 4.3.3 as soon as possible to address this vulnerability (NVD).