{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11370", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-06T14:00:15.658Z", "datePublished": "2026-01-06T03:21:40.305Z", "dateUpdated": "2026-01-06T15:02:56.692Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-06T03:21:40.305Z"}, "affected": [{"vendor": "averta", "product": "Depicter \u2014 Popup & Slider Builder", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "4.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings."}], "title": "Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d35faf39-4882-4393-9b77-57dc45ac9d04?source=cve"}, {"url": "https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/RulesAjaxController.php"}, {"url": "https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/ajax.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brizzle"}], "timeline": [{"time": "2025-10-07T11:18:32.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-05T15:17:33.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T15:01:50.835756Z", "id": "CVE-2025-11370", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:02:56.692Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11370", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T15:01:50.835756Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:02:50.248Z"}}], "cna": {"title": "Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates", "credits": [{"lang": "en", "type": "finder", "value": "Brizzle"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "averta", "product": "Depicter \u2014 Popup & Slider Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-07T11:18:32.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-05T15:17:33.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d35faf39-4882-4393-9b77-57dc45ac9d04?source=cve"}, {"url": "https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/RulesAjaxController.php"}, {"url": "https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/ajax.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php"}], "descriptions": [{"lang": "en", "value": "The Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-06T03:21:40.305Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11370", "state": "PUBLISHED", "dateUpdated": "2026-01-06T15:02:56.692Z", "dateReserved": "2025-10-06T14:00:15.658Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T03:21:40.305Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings."}], "id": "CVE-2025-11370", "lastModified": "2026-01-06T04:15:51.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-01-06T04:15:51.430", "references": [{"source": "security@wordfence.com", "url": "https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/RulesAjaxController.php"}, {"source": "security@wordfence.com", "url": "https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/ajax.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d35faf39-4882-4393-9b77-57dc45ac9d04?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"created": "2026-01-06T14:16:07.610873+00:00", "updated": "2026-01-06T14:16:07.610912+00:00", "vendors": ["averta", "averta$PRODUCT$depicter_slider", "averta$PRODUCT$slider_and_popup_builder_by_depicter", "wordpress", "wordpress$PRODUCT$wordpress"]}