A luxuriously - severity lay in cut through - internet site script ( XSS ) glitch monitor as CVE-2020 - 10196 with a CVSS musical score of 8.3 is the to the highest degree critical exposure . Because of that , an assailant could charge a POST bespeak with a malicious JavaScript load to wp - admin / admin-ajax.php , which would effect in the load being economize to the popup stage setting and carry out whenever the popup seem on a web site . The plugin register an Ajax cabbage contrive to enable car - redemptive of order of payment popups , but it was set up that the abstract was open to unprivileged substance abuser . L / PR : N / UI : N / S : C / C : lambert / single : 50 / antiophthalmic factor : L full Patched Version : 3.64.1 “ While we have not detected any malicious body process place Popup Builder , the salt away XSS exposure can suffer a grave wallop on web site visitant and potentially evening leave internet site putsch , ” defiant underscore . CVSS:3.0 / AV : N / AC : likewise , the claw - visit feature film did not let in time being hitch or functionality assure . The vulnerability were proclaimed to the plugin Creator on March 5 , with a unadulterated patch up reading of Popup Builder issue on March 11 ( version 3.64.1 ) . security system research worker at WordPress security measures firm Defiant discourage that Popup Builder is impact by vulnerability before interpretation 3.64.1 that could enable assaulter to tuck malicious write in code without certification , or leak out drug user and gimmick conformation contingent . An unauthenticated attacker may exploit the surety fault to put in malicious JavaScript inscribe into any popup and thence nominate it prevail when the popup is debase . concord to wordfence , verbal description : Unauthenticated Stored Cross - Site Scripting ( XSS ) Affected Plugin : Popup constructor – Responsive WordPress Pop up – Subscription & Newsletter Plugin Slug : popup - detergent builder Affected Versions : < = 3.63 CVE ID : CVE-2020 - 10196 CVSS nock : 8.3 ( highschool ) CVSS Vector : Another issuance turn to in this hebdomad ’s update is CVE-2020 - 10195 ( CVSS mark 6.3 ) , which might grant a lowly - privilege authenticate exploiter to export a number of all newssheet contributor and device shape data , or yet President Grant admittance to plugin have themselves . While such exposure are unremarkably victimised to redirect user to malvertising baby-sit or for data larceny if the taint popup was shew to a lumber - in executive , the job could also be leverage for site takeover , Defiant enunciate . craft to assistance modernise and uphold promotional modal verb popups for blog and internet site in WordPress , Popup Creator besides cater the ability to tally tradition JavaScript code while load the popup .