CVE-2025-11370 identifies a missing authorization vulnerability (CWE-862) in the averta Depicter — Popup & Slider Builder plugin for WordPress, specifically in the 'store' function of the RulesAjaxController class. This function lacks proper capability checks, allowing unauthenticated attackers to update pop-up display settings remotely without requiring any user interaction or authentication. The plugin is widely used to create email collection popups, coupon modals, image sliders, and carousels on WordPress sites. By exploiting this flaw, attackers can manipulate the content and behavior of pop-ups, potentially injecting malicious or misleading information to deceive users, facilitate phishing, or disrupt marketing campaigns. The vulnerability affects all versions up to and including 4.0.7, with no patch currently available as per the provided data. The CVSS v3.1 base score is 5.3, indicating medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and no availability impact (A:N). No known exploits have been reported in the wild, but the ease of exploitation and the potential for misuse in social engineering attacks make it a relevant threat for WordPress site administrators.

For European organizations, this vulnerability primarily threatens the integrity of web content delivered via pop-ups on WordPress sites using the affected plugin. Unauthorized modification of pop-up settings can lead to the injection of fraudulent messages, phishing attempts, or misleading promotional content, potentially damaging brand reputation and user trust. While it does not directly compromise sensitive data confidentiality or system availability, the indirect consequences include increased risk of credential theft, malware distribution, or customer deception. Organizations relying heavily on pop-up-based marketing, user engagement, or email collection are particularly vulnerable. Given the widespread use of WordPress across Europe, especially in e-commerce, media, and marketing sectors, the vulnerability could be exploited to target customers or employees. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation if unpatched. However, the absence of known active exploits suggests limited immediate impact but warrants proactive mitigation.

1. Monitor for official patches or updates from averta and apply them immediately once available to ensure the vulnerability is remediated. 2. Until a patch is released, implement web application firewall (WAF) rules to restrict access to the vulnerable AJAX endpoint, specifically the 'store' function of RulesAjaxController, allowing only authenticated and authorized users. 3. Review and harden WordPress user roles and permissions to minimize exposure of administrative functions. 4. Employ security plugins that can detect and block unauthorized changes to plugin settings or suspicious AJAX requests. 5. Conduct regular audits of pop-up content and configurations to detect unauthorized modifications promptly. 6. Educate site administrators and content managers about this vulnerability and encourage vigilance for unusual pop-up behavior. 7. Consider temporarily disabling the Depicter plugin if the risk outweighs its benefits until a secure version is available. 8. Use network segmentation and monitoring to detect anomalous traffic patterns targeting WordPress AJAX endpoints.