The vulnerability identified as CVE-2025-11370 affects the averta Depicter — Popup & Slider Builder plugin for WordPress, which is used to create various popup and slider elements such as email collection popups, coupon popups, and image sliders. The root cause is a missing authorization (CWE-862) in the 'store' function within the RulesAjaxController class. This function lacks a capability check to verify whether the requester has the necessary permissions to modify popup display settings. As a result, unauthenticated attackers can send crafted requests to update these settings arbitrarily. This can lead to unauthorized changes in the site's user interface, potentially enabling attackers to display malicious or deceptive popups that could be used for phishing, social engineering, or to degrade user trust. The vulnerability affects all versions up to and including 4.0.7. The CVSS 3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, but partial integrity impact. No patches or official fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The plugin's popularity in WordPress ecosystems makes this a notable risk for websites relying on it for marketing or user engagement features.

The primary impact of this vulnerability is unauthorized modification of popup display settings, which compromises the integrity of the affected websites. Attackers could inject misleading or malicious content into popups, potentially facilitating phishing attacks, spreading misinformation, or manipulating user behavior. While confidentiality and availability are not directly affected, the integrity breach can erode user trust and damage brand reputation. For e-commerce or marketing websites, this could translate into financial losses or regulatory scrutiny if user data is indirectly compromised through social engineering. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate attacks at scale, increasing the risk of widespread abuse. Organizations with high traffic or sensitive user bases are particularly vulnerable to reputational damage and potential downstream attacks leveraging this vulnerability.

To mitigate this vulnerability, organizations should first verify if they are using the averta Depicter — Popup & Slider Builder plugin, especially versions up to 4.0.7. Immediate steps include: 1) Applying any available patches or updates from the vendor once released; 2) If no patch is available, temporarily disabling or uninstalling the plugin to prevent exploitation; 3) Implementing Web Application Firewall (WAF) rules to block unauthorized AJAX requests targeting the RulesAjaxController 'store' function endpoint; 4) Restricting access to the WordPress admin-ajax.php endpoint to authenticated users or trusted IP ranges where feasible; 5) Monitoring website logs for unusual POST requests modifying popup settings; 6) Conducting regular plugin audits to ensure all third-party components enforce proper authorization checks; 7) Educating site administrators about the risks of unauthorized popup modifications and encouraging prompt response to suspicious activity. These targeted actions go beyond generic advice by focusing on the specific vulnerable function and attack vector.