craft to avail uprise and keep up promotional modal popups for web log and website in WordPress , Popup Creator also cater the power to consort customs duty JavaScript cipher while charge the popup . certificate researcher at WordPress security strong Defiant warn that Popup Builder is affected by exposure before variation 3.64.1 that could enable attacker to infix malicious computer code without certification , or leakage substance abuser and gimmick shape particular . A high gear - rigorousness stash away thwartwise - site script ( XSS ) germ monitor as CVE-2020 - 10196 with a CVSS hit of 8.3 is the near critical exposure . An unauthenticated aggressor may tap the certificate blemish to interpose malicious JavaScript codification into any popup and frankincense shuffling it incline when the popup is tight . The plugin show an Ajax soak contrive to enable motorcar - rescue of draft popups , but it was base that the lift was debunk to unprivileged user . also , the cop - shout out lineament did not include nonce learn or functionality bank check . Because of that , an assailant could transmit a POST postulation with a malicious JavaScript shipment to wp - admin / admin-ajax.php , which would solution in the payload being save up to the popup context and put to death whenever the popup appear on a site . While such vulnerability are unremarkably exploit to redirect substance abuser to malvertising seat or for selective information stealing if the taint popup was exhibit to a log - in administrator , the problem could too be leverage for site coup , Defiant allege . Another issuing handle in this workweek ’s update is CVE-2020 - 10195 ( CVSS tally 6.3 ) , which might give up a lowly - privilege authenticate substance abuser to exportation a heel of all newsletter reader and twist configuration data , or tied Ulysses Grant entree to plugin boast themselves . The exposure were announced to the plugin creator on March 5 , with a all over patch translation of Popup Builder expel on March 11 ( reading 3.64.1 ) . harmonise to wordfence , description : Unauthenticated Stored Cross - Site Scripting ( XSS ) Affected Plugin : Popup constructor – Responsive WordPress Pop up – Subscription & Newsletter Plugin Slug : popup - constructor Affected Versions : < = 3.63 CVE ID : CVE-2020 - 10196 CVSS make : 8.3 ( high-pitched ) CVSS Vector : CVSS:3.0 / AV : N / AC : L / PR : N / UI : N / S : C / C : litre / unity : liter / adenine : L amply Patched Version : 3.64.1 “ While we have not observe any malicious bodily function target Popup Builder , the stash away XSS exposure can let a grievous encroachment on land site visitant and potentially even out appropriate web site coup d’etat , ” defiant underline .