Description
The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the "depicter-media-upload" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server.
Published: 2025-11-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Upload by Contributors
Action: Immediate Update
AI Analysis

Impact

The Depicter – Popup & Slider Builder plugin for WordPress allows authenticated users with Contributor-level access to upload files through a specific AJAX endpoint because the code lacks proper capability checks. The files that can be uploaded are limited to certain safe file types, yet an attacker could still use them to host malicious content or compromise the site’s media library. This flaw does not grant arbitrary code execution outright, but it gives the attacker a foothold for content injection or further attacks if additional vulnerabilities exist. The absence of authorization controls is a classic access‑control weakness, as identified by CWE‑862. This scenario can lead to unintended breakdown of confidentiality or integrity of the site’s data, and may open doors for phishing or defacement if a malicious file is placed in a public directory.

Affected Systems

All installations of the Depicter – Popup & Slider Builder plugin from Averta with versions 4.0.4 and earlier are affected. The vulnerability is present in the "depicter-media-upload" AJAX route used for uploading media items such as images and other files. Users of newer releases (4.0.5 and above) are not impacted because the patch was applied after the public release of the version at issue.

Risk and Exploitability

With a CVSS score of 4.3, the severity is moderate, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. Because the control missing is an authorization check, any user who has been granted Contributor (or higher) permissions on a WordPress site can exploit the upload feature. While the attack vector requires the attacker to be an authenticated user with at least Contributor privileges, that role is often granted to many collaborators. If a site’s Contributor users are abused, the attacker could place spoofed images or other content that could trick visitors or create brand damage. The risk is amplified where such roles are widely distributed and where the site relies on uploaded media for public display.

Generated by OpenCVE AI on April 21, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Depicter – Popup & Slider Builder plugin to the latest available revision to ensure the missing capability checks are restored.
  • Limit or remove Contributor-level permissions on sites that do not require that role, thereby reducing the attacker set.
  • Configure server‑side validation or use the WordPress media library restrictperms setting to restrict the types of files that can be uploaded, ensuring only allowed file extensions and MIME types are accepted.

Generated by OpenCVE AI on April 21, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Averta
Averta slider And Popup Builder By Depicter
Wordpress
Wordpress wordpress
Vendors & Products Averta
Averta slider And Popup Builder By Depicter
Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the "depicter-media-upload" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server.
Title Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Averta Slider And Popup Builder By Depicter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:19.935Z

Reserved: 2025-10-06T15:02:09.683Z

Link: CVE-2025-11373

cve-icon Vulnrichment

Updated: 2025-11-05T14:24:08.006Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T07:15:31.653

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses