CVE-2024-10861
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups <= 4.9.7 - Missing Authorization to Unauthenticated Limited Options UpdateThe Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.
We have discovered 6,317 live websites that are affected by CVE-2024-10861.
Affected Software
| Product |  Ays Popup Box |
| Category | Wordpress Plugins |
| Vulnerable Domains | 6,317 live websites (43.98% of Ays Popup Box install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 304 versions ( 83.52% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Nov 16, 2024
- Updated - Nov 19, 2024
Credits
- Trương Hữu Phúc (truonghuuphuc) (finder)
CWE
CVE References
CWE References
CVE-2024-10861 usage by Country
 United States | 1,881 websites |
 Germany | 704 websites |
 France | 367 websites |
 Poland | 255 websites |
 Italy | 248 websites |
 GB | 213 websites |
 Brazil | 188 websites |
 Cyprus | 168 websites |
 Netherlands | 158 websites |
 Russia | 151 websites |
CVE-2024-10861 usage by TLD
| .com | 2,168 websites |
| .org | 340 websites |
| .de | 314 websites |
| .com.br | 230 websites |
| .it | 227 websites |
| .pl | 204 websites |
| .nl | 170 websites |
| .co.uk | 140 websites |
| .fr | 130 websites |
| .ru | 126 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-10861
Top websites that are affected by CVE-2024-10861. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ************.fr | France | **,*** | |
| *******.gr |  Greece | ***,*** | |
| ***********************.it | Italy | ***,*** | |
| ********.com | United States | ***,*** | |
| ******.com | United States | ***,*** | |
| ************.com | France | ***,*** | |
| ******.info | United States | ***,*** | |
| ******.nl | Netherlands | ***,*** | |
| ***.***.br | Brazil | ***,*** | |
| ******.com | United States | ***,*** |
FAQ
CVE-2024-10861 is Missing Authorization in Ays Popup Box
A total of 6,317 websites have been identified as vulnerable to CVE-2024-10861, discovered through global website indexing conducted by WebTechSurvey.
Ays Popup Box is susceptible to CVE-2024-10861 vulnerability.
Ays Popup Box versions before, and including, 4.9.7 are vulnerable to CVE-2024-10861.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c3717e03-9a18-48a1-97d3-1d41c7f93261?source=cve
- https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/4.9.2/admin/class-ays-pb-admin.php#L609
- https://plugins.trac.wordpress.org/changeset/3188357/ays-popup-box/tags/4.9.8/admin/class-ays-pb-admin.php?old=3186262&old_path=ays-popup-box%2Ftags%2F4.9.7%2Fadmin%2Fclass-ays-pb-admin.php