Depicter

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.

Basic Information

ID CVE-2025-11370

Source Wordfence

Published Jan 6, 2026 at 03:21

Affected Product

Vendor averta

Product Depicter — Popup & Slider Builder

Version *

Affected Versions averta Depicter — Popup & Slider Builder *

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.",
    "published": "2026-01-06T03:21:40.305Z",
    "modified": "2026-01-06T03:21:40.305Z",
    "type": "cve",
    "title": "Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d35faf39-4882-4393-9b77-57dc45ac9d04?source=cve\nhttps://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/RulesAjaxController.php\nhttps://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/ajax.php\nhttps://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php",
    "id": "CVE-2025-11370",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "averta Depicter \u2014 Popup & Slider Builder *",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Depicter \u2014 Popup & Slider Builder",
    "version": "*",
    "vendor": "averta",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates_CVE-2025-11370