Lucene search
C3p0d4yWPVDB-ID:725F6AE4-7EC5-4D7C-9533-C9B61B59CC2BHistoryOct 31, 2022 - 12:00 a.m.
Popup Maker < 1.16.11 - Contributor+ Stored Cross Site Scripting
2022-10-3100:00:00
c3p0d4y
wpscan.com
14
popup maker
stored cross site scripting
unescaped options
admin compromise
0.001 Low
EPSS
Percentile
24.8%
The plugin does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins
PoC
Create a New popup Insert pop-up name, title, and body text. Add a new trigger with default settings, choose “Click Open” and under “On Popup Close” then click add. Click add new cookie and in the cookie name add the payload as cookie name: The XSS will be triggered when editing a trigger
| CPE | Name | Operator | Version |
|---|---|---|---|
| popup-maker | lt | 1.16.11 |
Related
patchstack
patchstack
nvd
nvd
CVE-2022-3690
2022-11-21 11:15:20
osv
osv
CVE-2022-3690
2022-11-21 11:15:20
prion
prion
Cross site scripting
2022-11-21 11:15:00
cve
cve
CVE-2022-3690
2022-11-21 11:15:20
cvelist
cvelist
cnvd
cnvd
WordPress Popup Maker Cross-Site Scripting Vulnerability
2022-11-23 00:00:00
openvas
openvas
WordPress Popup Maker Plugin < 1.16.11 XSS Vulnerability
2023-02-23 00:00:00
wpexploit
wpexploit
Popup Maker < 1.16.11 - Contributor+ Stored Cross Site Scripting
2022-10-31 00:00:00