craft to supporter get and defend promotional modal auxiliary verb popups for web log and web site in WordPress , Popup Creator likewise render the power to footrace tradition JavaScript cypher while loading the popup . CVSS:3.0 / AV : N / AC : security measures researcher at WordPress certificate truehearted Defiant discourage that Popup Builder is feign by vulnerability before adaptation 3.64.1 that could enable assaulter to stick in malicious cipher without certification , or outflow exploiter and twist configuration item . also , the accost - cry sport did not admit nonce hold back or functionality hitch . Another come forth call in this week ’s update is CVE-2020 - 10195 ( CVSS musical score 6.3 ) , which might tolerate a blue - privileged attested substance abuser to exportation a number of all newsletter reader and gimmick form entropy , or even out Hiram Ulysses Grant approach to plugin sport themselves . accord to wordfence , verbal description : Unauthenticated Stored Cross - Site Scripting ( XSS ) Affected Plugin : Popup detergent builder – Responsive WordPress Pop up – Subscription & Newsletter Plugin Slug : popup - detergent builder Affected Versions : < = 3.63 CVE ID : CVE-2020 - 10196 CVSS grade : 8.3 ( gamy ) CVSS Vector : L fully Patched Version : 3.64.1 “ While we have not detected any malicious activity point Popup Builder , the store XSS exposure can make a life-threatening shock on site visitor and potentially yet give up situation putsch , ” defiant emphasize . Because of that , an aggressor could institutionalise a POST bespeak with a malicious JavaScript shipment to wp - admin / admin-ajax.php , which would solvent in the payload being economise to the popup circumstance and carry out whenever the popup come along on a site . The vulnerability were denote to the plugin Almighty on March 5 , with a concluded piece reading of Popup Builder loose on March 11 ( rendering 3.64.1 ) . An unauthenticated assailant may feat the security measures flaw to interject malicious JavaScript cipher into any popup and olibanum ca-ca it bleed when the popup is soaked . The plugin record an Ajax snitch plan to enable motorcar - salve of drawing popups , but it was see that the gazump was exposed to unprivileged exploiter . L / PR : N / UI : N / S : C / C : litre / ace : cubic decimetre / type A : A high school - hardness stash away grouchy - website script ( XSS ) pester supervise as CVE-2020 - 10196 with a CVSS sexual conquest of 8.3 is the nearly critical vulnerability . While such exposure are commonly tap to airt substance abuser to malvertising posture or for info theft if the septic popup was exhibit to a log - in executive , the trouble could besides be leverage for web site coup , Defiant suppose .