CVE-2024-47358: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2024-47358) was discovered in Popup Maker, a WordPress plugin, affecting versions through 1.19.2. The vulnerability was disclosed on September 30, 2024, and allows accessing functionality not properly constrained by Access Control Lists (ACLs). The issue impacts the Popup Maker WordPress plugin, which is used for boosting sales, conversions, and opt-ins (Patchstack).

The vulnerability is classified as a Missing Authorization issue (CWE-862) where the plugin lacks proper capability checks on certain functions. This allows unauthenticated attackers to perform unauthorized actions. The vulnerability has received varying CVSS scores: NIST assigned a Critical score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), while Patchstack rated it as Medium with a score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to perform unauthorized actions within the Popup Maker plugin. The severity assessment indicates potential high impacts on confidentiality, integrity, and availability according to NIST's evaluation (NVD).

The vulnerability has been patched in version 1.20.0 of the Popup Maker plugin. Users are advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users update to the fixed version (Patchstack).