Popup Builder WordPress Plugin Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Popup Builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress, affecting all versions through 2.1.4. The vulnerability arises from inadequate validation of URLs provided via the URL parameter, allowing unauthenticated attackers to send web requests to arbitrary locations from the web application. This could be exploited to query and modify information from internal services or conduct network reconnaissance. Although the vulnerability was partially addressed in version 2.1.4, it remains a concern in earlier versions.

Impact

Exploitation of this vulnerability allows for unauthorized web requests to be made from the server, potentially leading to unauthorized access or modification of internal resources and services.

Remediation

Users are advised to update the Popup Builder WordPress plugin to version 2.1.5 or later.