craft to supporter germinate and keep up promotional average popups for blog and internet site in WordPress , Popup Creator too ply the ability to campaign usage JavaScript cypher while debase the popup . security measures research worker at WordPress protection unwaveringly Defiant admonish that Popup Builder is strike by vulnerability before edition 3.64.1 that could enable attacker to insert malicious computer code without assay-mark , or passing water user and twist shape details . A high gear - hardship store hybridization - situation script ( XSS ) tap monitor as CVE-2020 - 10196 with a CVSS seduce of 8.3 is the almost critical exposure . An unauthenticated assailant may overwork the surety flaw to put in malicious JavaScript write in code into any popup and hence have it consort when the popup is load . The plugin register an Ajax soak design to enable motorcar - redeeming of bill of exchange popups , but it was launch that the plume was endanger to unprivileged substance abuser . also , the come-on - yell boast did not admit nonce impediment or functionality chink . Because of that , an attacker could commit a POST call for with a malicious JavaScript load to wp - admin / admin-ajax.php , which would lead in the freight being pull through to the popup scene and action whenever the popup look on a site . While such exposure are ordinarily put-upon to redirect user to malvertising model or for info stealing if the taint popup was shew to a lumber - in decision maker , the problem could likewise be leverage for website takeover , Defiant say . Another emergence address in this calendar week ’s update is CVE-2020 - 10195 ( CVSS grudge 6.3 ) , which might earmark a humble - privileged authenticated exploiter to export a inclination of all newsletter endorser and twist form data , or level Grant admission to plugin lineament themselves . The exposure were annunciate to the plugin Jehovah on March 5 , with a accomplished spotted variation of Popup Builder release on March 11 ( translation 3.64.1 ) . concord to wordfence , description : Unauthenticated Stored Cross - Site Scripting ( XSS ) Affected Plugin : Popup detergent builder – Responsive WordPress Pop up – Subscription & Newsletter Plugin Slug : popup - builder Affected Versions : < = 3.63 CVE ID : CVE-2020 - 10196 CVSS sexual conquest : 8.3 ( gamy ) CVSS Vector : CVSS:3.0 / AV : N / AC : L / PR : N / UI : N / S : C / C : L / iodine : L / A : L fully Patched Version : 3.64.1 “ While we have not discover any malicious bodily function place Popup Builder , the store XSS exposure can cause a dangerous bear upon on site visitant and potentially level countenance land site coup d’etat , ” defiant underscore .