CVE-2024-29009

The WordPress plugin "easy-popup-show" contains a cross-site request forgery (CSRF) vulnerability. An unauthenticated attacker can leverage this flaw to hijack the authentication of an administrator if the administrator visits a specially crafted malicious page while logged in [1]. The vulnerability is present in all versions of the plugin.

The attack surface is the WordPress admin interface, where a logged-in administrator may be tricked into clicking a link or viewing a page that triggers unwanted actions. No authentication is required from the attacker, but the attack relies on social engineering to make the administrator interact with the malicious page [1].

Successful exploitation could allow the attacker to perform unintended operations with administrative privileges. This may include creating new admin accounts, modifying site settings, or installing malicious plugins, effectively compromising the entire WordPress site.

The developer has stated that the plugin is no longer supported, and it has been closed as of April 11, 2022 [2]. Users are advised to stop using the plugin immediately [1]. No patch is available, and the product is effectively end-of-life.