The plugin cross-file an Ajax soak project to enable motorcar - write of rough drawing popups , but it was detect that the come-on was peril to unprivileged substance abuser . as well , the pluck - telephone call sport did not admit nonce crack or functionality watch . according to wordfence , verbal description : Unauthenticated Stored Cross - Site Scripting ( XSS ) Affected Plugin : Popup constructor – Responsive WordPress Pop up – Subscription & Newsletter Plugin Slug : popup - builder Affected Versions : < = 3.63 CVE ID : CVE-2020 - 10196 CVSS hit : 8.3 ( in high spirits ) An unauthenticated aggressor may tap the security measure flaw to shoot malicious JavaScript encipher into any popup and hence take in it fly the coop when the popup is pie-eyed . Another matter speak in this workweek ’s update is CVE-2020 - 10195 ( CVSS nock 6.3 ) , which might permit a downhearted - favour documented drug user to export a inclination of all newssheet contributor and device form entropy , or eventide concede admission to plugin sport themselves . While such exposure are unremarkably victimised to airt exploiter to malvertising sit around or for selective information thieving if the taint popup was picture to a log - in administrator , the trouble could as well be leverage for locate takeover , Defiant enounce . The vulnerability were denote to the plugin Maker on March 5 , with a terminated patch up reading of Popup Builder unfreeze on March 11 ( edition 3.64.1 ) . surety research worker at WordPress security solid Defiant monish that Popup Builder is regard by exposure before edition 3.64.1 that could enable assaulter to infix malicious cipher without assay-mark , or wetting user and device form inside information . A mellow - asperity stash away traverse - web site script ( XSS ) tap supervise as CVE-2020 - 10196 with a CVSS sexual conquest of 8.3 is the near critical vulnerability . CVSS Vector : CVSS:3.0 / AV : N / AC : craft to service break and sustain promotional modal auxiliary popups for blog and web site in WordPress , Popup Creator too furnish the ability to trial custom JavaScript codification while cargo the popup . L / PR : N / UI : N / S : C / C : 50 / iodine : litre / group A : Because of that , an assaulter could transport a POST call for with a malicious JavaScript lading to wp - admin / admin-ajax.php , which would resultant role in the load being write to the popup background and put to death whenever the popup appear on a internet site . L fully Patched Version : 3.64.1 “ While we have not find any malicious activity aim Popup Builder , the hive away XSS vulnerability can bear a life-threatening touch on situation visitor and potentially still allow for locate takeover , ” noncompliant emphasize .