CVE-2024-9428
Popup Builder < 4.3.5 - Admin+ Stored XSSThe Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
We have discovered 9,345 live websites that are affected by CVE-2024-9428.
Affected Software
| Product |  Popup Builder |
| Category | Wordpress Plugins |
| Vulnerable Domains | 9,345 live websites (39.97% of Popup Builder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 128 versions ( 97.71% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Dec 12, 2024
- Updated - Dec 12, 2024
Credits
- Dmitrii Ignatyev (finder)
- WPScan (coordinator)
CWE
CVE References
CWE References
CVE-2024-9428 usage by Country
 United States | 3,239 websites |
 Germany | 927 websites |
 France | 645 websites |
 Italy | 318 websites |
 GB | 293 websites |
 Russia | 282 websites |
 Poland | 276 websites |
 Cyprus | 221 websites |
 Brazil | 215 websites |
 Spain | 202 websites |
CVE-2024-9428 usage by TLD
| .com | 3,952 websites |
| .org | 451 websites |
| .de | 373 websites |
| .it | 269 websites |
| .com.br | 257 websites |
| .ru | 244 websites |
| .fr | 240 websites |
| .co.uk | 220 websites |
| .pl | 207 websites |
| .com.au | 178 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-9428
Top websites that are affected by CVE-2024-9428. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.domains | United States | *,*** | |
| ***************.pl | Poland | **,*** | |
| ******.com | United States | **,*** | |
| ************.***.au | United States | **,*** | |
| **********.net | United States | **,*** | |
| *****.com | GB | **,*** | |
| *****.io | United States | **,*** | |
| ********.nl |  Netherlands | ***,*** | |
| *******.org | United States | ***,*** | |
| ******.group | Cyprus | ***,*** |
FAQ
CVE-2024-9428 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Popup Builder
A total of 9,345 websites have been identified as vulnerable to CVE-2024-9428, discovered through global website indexing conducted by WebTechSurvey.
Popup Builder is susceptible to CVE-2024-9428 vulnerability.
Popup Builder versions before 4.3.5 are vulnerable to CVE-2024-9428.
Version 4.3.5 of Popup Builder addresses the CVE-2024-9428 security vulnerability.