Stored XSS Fixed In Popup Builder 4.2.3

During an analysis of the Popup Builder plugin, we discovered a pretty serious Stored XSS vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site.

When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users.

Upon identifying the vulnerability, we promptly alerted the authors of that plugin, who released version 4.2.3 to fix the issue. It is crucial for administrators of sites using this plugin to ensure it is fully updated to safeguard against this vulnerability.

Unauthenticated Stored XSS

 public static function parsePopupDataFromData($data)
    {
        $popupData = array();
        $data = apply_filters('sgpbFilterOptionsBeforeSaving', $data);
        foreach ($data as $key => $value) {
            if ( !is_array( $value ) ) {
                //Sanitize URL to avoid 404 error
                if ( strpos( $key, '-url' ) === false )                
                    $value = sanitize_text_field( $value );
                else
                    $value = wp_sanitize_redirect( $value );    
            }
            if (strpos($key, 'sgpb') === 0) {                
                $popupData[$key] = $value;
            }
            if (is_array($value) && isset($value['name']) && strpos($value['name'], 'sgpb') === 0) {
                $popupData[$value['name']] = sanitize_text_field( $value['value'] );
            }
            else if (is_array($value) && isset($value['name']) && strpos($value['name'], 'post_ID') === 0) {
                $popupData['sgpb-post-id'] = (int) sanitize_text_field( $value['value'] );
            }
        }
        return $popupData;
    }

The plugin presented a few inconsistencies in how it grabbed certain POST parameters across the plugin. Some places would directly use $_POST['key'], whereas others would use the plugin’s SGPopup::parsePopupDataFromData(); method. This led to logic bugs, where the plugin would first check $_POST in IF conditional statements, but then grab the value of that parameter through the method to do things

This, combined with a sensitive post‑previewing function we found to be hooked on the WordPress init action without any proper capability checks in place, led to us discovering this could be escalated to conduct Stored XSS attacks without requiring any type of accounts on the targeted site.

A proof of concept will be made available on the WPScan entry for this issue on January 1st, 2024.

Timeline

• 2023‑11‑07 – Details of the vulnerability sent to the Popup Builder team
• 2023‑11‑13 – Popup Builder 4.2.2 is released, but still vulnerable
• 2023‑11‑21 – We escalate the issue to WordPress.org’s Plugin team
• 2023‑12‑07 – Patch released by the Popup Builder team on version 4.2.3

Credits

Original research: Marc Montpas

Thanks to the rest of the WPScan team for feedback, help, and corrections.