{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/popup-maker/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-8848"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin \u003c= 1.22.0"],"_cs_severities":["high"],"_cs_tags":["wordpress","web-exploitation","vulnerability","rce","authorization-bypass"],"_cs_type":"advisory","_cs_vendors":["Popup Maker"],"content_html":"\u003cp\u003eA critical authorization bypass vulnerability, identified as CVE-2026-8848, has been discovered in all versions up to and including 1.22.0 of the \u0026quot;Popup Maker - Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder\u0026quot; plugin for WordPress. This flaw enables authenticated attackers possessing editor-level access or higher to circumvent proper authorization checks. The vulnerability allows these attackers to install and activate any arbitrary plugin from an attacker-controlled URL, ultimately leading to remote code execution (RCE) on the compromised WordPress instance. Successful exploitation hinges on two specific pre-conditions: an active Popup Maker Pro license must be present on the target site, and the Popup Maker Pro version must not yet be installed. These conditions are crucial as they allow a legacy \u003ccode\u003ev1/connect/info\u003c/code\u003e endpoint to issue a bearer token, which in turn satisfies a validation check required by the plugin's install endpoint.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An authenticated attacker, possessing editor-level or higher privileges, gains access to the WordPress administration interface of a site running the vulnerable Popup Maker plugin (version 1.22.0 or earlier).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePre-Condition Fulfillment\u003c/strong\u003e: The attacker confirms that the target WordPress site has an active Popup Maker Pro license and that the Popup Maker Pro version of the plugin is not currently installed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBearer Token Acquisition\u003c/strong\u003e: The attacker sends a crafted request to the plugin's legacy \u003ccode\u003ev1/connect/info\u003c/code\u003e endpoint (e.g., \u003ccode\u003e/wp-content/plugins/popup-maker/v1/connect/info\u003c/code\u003e). Under the specific conditions met in the previous step, this endpoint improperly issues a valid bearer token.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthorization Bypass\u003c/strong\u003e: The attacker utilizes the acquired bearer token to bypass the authorization and validation checks on a Popup Maker plugin installation endpoint, which would normally prevent editor-level users from installing plugins.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Plugin Provisioning\u003c/strong\u003e: The attacker specifies a URL pointing to a malicious WordPress plugin hosted on an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Plugin Installation and Activation\u003c/strong\u003e: The vulnerable Popup Maker functionality processes the request, downloads, installs, and activates the arbitrary malicious plugin from the attacker-provided URL.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: Upon activation, the malicious plugin executes code with the privileges of the web server, resulting in remote code execution (RCE) on the underlying operating system of the WordPress host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-8848 allows an attacker to achieve remote code execution on the WordPress host server. This can lead to complete compromise of the website and server, including defacement, data theft, insertion of backdoors, further lateral movement within the network, and establishment of persistent access. While requiring editor-level authentication, the ability to escalate privileges to RCE poses a severe risk to the integrity and confidentiality of the affected systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the \u0026quot;Popup Maker - Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder\u0026quot; plugin to version 1.22.1 or higher to patch CVE-2026-8848.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect anomalous access patterns to the legacy \u003ccode\u003ev1/connect/info\u003c/code\u003e endpoint, which is a key step in the exploitation chain for CVE-2026-8848.\u003c/li\u003e\n\u003cli\u003eEnsure \u003ccode\u003ewebserver\u003c/code\u003e access logs are enabled and configured to capture full URI paths (\u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e) and HTTP methods for improved visibility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T08:24:53Z","date_published":"2026-07-09T08:24:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-popup-maker-auth-bypass/","summary":"An authorization bypass vulnerability, CVE-2026-8848, exists in the Popup Maker WordPress plugin versions up to and including 1.22.0, allowing authenticated attackers with editor-level access or higher to install and activate arbitrary plugins from a controlled URL, which leads to remote code execution, provided a valid Popup Maker Pro license is active and the Pro version is not yet installed.","title":"CVE-2026-8848: Popup Maker WordPress Plugin Authorization Bypass Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-popup-maker-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Popup Maker","version":"https://jsonfeed.org/version/1.1"}