CVE-2020-10195 in popup-builder Plugin
Summary
by MITRE
The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to in-scope privilege escalation via admin-post actions to com/classes/Actions.php. By sending a POST request to wp-admin/admin-post.php, an authenticated attacker with minimal (subscriber-level) permissions can modify the plugin's settings to allow arbitrary roles (including subscribers) access to plugin functionality by setting the action parameter to sgpbSaveSettings, export a list of current newsletter subscribers by setting the action parameter to csv_file, or obtain system configuration information including webserver configuration and a list of installed plugins by setting the action parameter to sgpb_system_info.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/07/2025
The vulnerability identified as CVE-2020-10195 affects the popup-builder plugin for WordPress, specifically versions prior to 3.64.1, presenting a critical privilege escalation risk through improper access controls and lack of authentication verification. This flaw exists within the plugin's handling of admin-post actions, particularly targeting the com/classes/Actions.php file which processes various administrative operations without adequate permission checks. The vulnerability stems from the plugin's failure to validate user roles when processing certain administrative actions, allowing attackers to exploit the system through crafted POST requests to the wp-admin/admin-post.php endpoint. This represents a direct violation of the principle of least privilege and demonstrates a classic security misconfiguration that enables unauthorized access to administrative functions.
The technical exploitation of this vulnerability occurs through manipulation of the action parameter in POST requests sent to the WordPress admin-post.php endpoint. When an authenticated user with subscriber-level permissions submits a request with action parameter set to sgpbSaveSettings, the plugin permits modification of plugin settings that would normally require administrator privileges, effectively allowing role expansion to include subscribers. Additionally, attackers can trigger the csv_file action parameter to export lists of newsletter subscribers, creating a data exposure risk that violates privacy and data protection principles. The most severe aspect involves the sgpb_system_info action parameter, which can be exploited to obtain comprehensive system configuration information including webserver details, installed plugins, and other sensitive technical information that could aid in further exploitation attempts. This information disclosure aspect aligns with CWE-200 (Information Exposure) and represents a significant threat to system security posture.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass comprehensive data exposure and potential system compromise. An attacker with subscriber-level access can effectively gain access to functionality that should be restricted to administrators, potentially leading to further system exploitation through the exposure of system configuration details. The ability to export subscriber lists creates privacy violations and potential spam abuse risks, while system information disclosure provides attackers with valuable reconnaissance data for planning more sophisticated attacks. This vulnerability creates a pathway for attackers to escalate their privileges within the WordPress environment and gain insights into the broader system architecture, making it particularly dangerous in multi-tenant or enterprise environments where additional security controls may be in place. The exploitation requires only minimal user credentials, making it accessible to attackers who may have gained access through other means such as credential stuffing or social engineering attacks.
Mitigation strategies for CVE-2020-10195 should prioritize immediate plugin updates to version 3.64.1 or later, which addresses the authentication bypass and access control issues. Organizations should implement network segmentation and monitoring to detect unusual administrative activity patterns, particularly around plugin-specific endpoints. The principle of least privilege should be enforced by restricting access to administrative functions through proper role management and capability checks. Additionally, implementing web application firewalls with rules to monitor and block suspicious parameters in admin-post.php requests can provide additional protection layers. Security professionals should conduct comprehensive vulnerability assessments to identify other potentially affected plugins and ensure that all WordPress installations maintain up-to-date security patches. This vulnerability demonstrates the importance of proper input validation and authentication checks in WordPress plugins, aligning with ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) through the exploitation of legitimate user accounts to gain elevated privileges and information access.