<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Popup Maker - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/popup-maker/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 08:24:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/popup-maker/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-8848: Popup Maker WordPress Plugin Authorization Bypass Leading to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-popup-maker-auth-bypass/</link><pubDate>Thu, 09 Jul 2026 08:24:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-popup-maker-auth-bypass/</guid><description>An authorization bypass vulnerability, CVE-2026-8848, exists in the Popup Maker WordPress plugin versions up to and including 1.22.0, allowing authenticated attackers with editor-level access or higher to install and activate arbitrary plugins from a controlled URL, which leads to remote code execution, provided a valid Popup Maker Pro license is active and the Pro version is not yet installed.</description><content:encoded><![CDATA[<p>A critical authorization bypass vulnerability, identified as CVE-2026-8848, has been discovered in all versions up to and including 1.22.0 of the &quot;Popup Maker - Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder&quot; plugin for WordPress. This flaw enables authenticated attackers possessing editor-level access or higher to circumvent proper authorization checks. The vulnerability allows these attackers to install and activate any arbitrary plugin from an attacker-controlled URL, ultimately leading to remote code execution (RCE) on the compromised WordPress instance. Successful exploitation hinges on two specific pre-conditions: an active Popup Maker Pro license must be present on the target site, and the Popup Maker Pro version must not yet be installed. These conditions are crucial as they allow a legacy <code>v1/connect/info</code> endpoint to issue a bearer token, which in turn satisfies a validation check required by the plugin's install endpoint.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An authenticated attacker, possessing editor-level or higher privileges, gains access to the WordPress administration interface of a site running the vulnerable Popup Maker plugin (version 1.22.0 or earlier).</li>
<li><strong>Pre-Condition Fulfillment</strong>: The attacker confirms that the target WordPress site has an active Popup Maker Pro license and that the Popup Maker Pro version of the plugin is not currently installed.</li>
<li><strong>Bearer Token Acquisition</strong>: The attacker sends a crafted request to the plugin's legacy <code>v1/connect/info</code> endpoint (e.g., <code>/wp-content/plugins/popup-maker/v1/connect/info</code>). Under the specific conditions met in the previous step, this endpoint improperly issues a valid bearer token.</li>
<li><strong>Authorization Bypass</strong>: The attacker utilizes the acquired bearer token to bypass the authorization and validation checks on a Popup Maker plugin installation endpoint, which would normally prevent editor-level users from installing plugins.</li>
<li><strong>Malicious Plugin Provisioning</strong>: The attacker specifies a URL pointing to a malicious WordPress plugin hosted on an attacker-controlled server.</li>
<li><strong>Arbitrary Plugin Installation and Activation</strong>: The vulnerable Popup Maker functionality processes the request, downloads, installs, and activates the arbitrary malicious plugin from the attacker-provided URL.</li>
<li><strong>Impact</strong>: Upon activation, the malicious plugin executes code with the privileges of the web server, resulting in remote code execution (RCE) on the underlying operating system of the WordPress host.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-8848 allows an attacker to achieve remote code execution on the WordPress host server. This can lead to complete compromise of the website and server, including defacement, data theft, insertion of backdoors, further lateral movement within the network, and establishment of persistent access. While requiring editor-level authentication, the ability to escalate privileges to RCE poses a severe risk to the integrity and confidentiality of the affected systems and data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the &quot;Popup Maker - Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder&quot; plugin to version 1.22.1 or higher to patch CVE-2026-8848.</li>
<li>Deploy the provided Sigma rule to detect anomalous access patterns to the legacy <code>v1/connect/info</code> endpoint, which is a key step in the exploitation chain for CVE-2026-8848.</li>
<li>Ensure <code>webserver</code> access logs are enabled and configured to capture full URI paths (<code>cs-uri-stem</code> and <code>cs-uri-query</code>) and HTTP methods for improved visibility.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>web-exploitation</category><category>vulnerability</category><category>rce</category><category>authorization-bypass</category></item></channel></rss>