CVE-2025-11370
Unknown Unknown - Not Provided
Unauthorized Data Modification in Depicter Popup Slider Plugin

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: Wordfence

Description
The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11370
EUVD
EUVD-2026-1091
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
depicter popup_and_slider_builder to 4.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Popup and Slider Builder by Depicter WordPress plugin (up to version 4.0.7). It is caused by a missing capability check on the 'store' function of the RulesAjaxController class, which allows unauthenticated attackers to modify pop-up display settings without authorization.

Impact Analysis

An attacker exploiting this vulnerability can update pop-up display settings on a vulnerable WordPress site without authentication. This unauthorized modification could lead to unwanted or malicious pop-ups being shown to site visitors, potentially impacting user experience or enabling further attacks such as phishing or malware distribution.

Detection Guidance

You can detect this vulnerability by monitoring for unauthorized POST requests to the AJAX endpoint related to the 'store' function of the RulesAjaxController class in the Depicter plugin. Specifically, look for HTTP POST requests targeting AJAX routes that update popup display settings without proper authentication. Using command-line tools like curl or wget, you can attempt to reproduce or detect unauthorized access. For example, a command to test might be: curl -X POST -d 'parameters' https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=store (adjusting parameters as needed). Additionally, monitoring web server logs for suspicious POST requests to Depicter AJAX endpoints without valid authentication tokens or cookies can help detect exploitation attempts. [1, 2, 4]

Mitigation Strategies

Immediate mitigation steps include updating the Depicter Popup and Slider Builder plugin to a version later than 4.0.7 where the missing capability check on the 'store' function has been fixed. If an update is not immediately available, restrict access to the AJAX endpoints by implementing additional authentication or firewall rules to block unauthenticated POST requests to these endpoints. Also, review and apply any security patches or middleware updates that enforce capability checks and CSRF protection, as indicated by recent changes adding 'depicter-editor' middleware and capability checks to AJAX routes. [4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart