During an analysis of the Popup Builder plugin, we discovered a pretty serious Stored XSS vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site.
When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users.
Upon identifying the vulnerability, we promptly alerted the authors of that plugin, who released version 4.2.3 to fix the issue. It is crucial for administrators of sites using this plugin to ensure it is fully updated to safeguard against this vulnerability.
Unauthenticated Stored XSS
Fixed Version | 4.2.3 |
CVE-ID | CVE-2023-6000 |
WPVDB ID | cdb3a8bd-4ee0-4ce0-9029-0490273bcfc8 |
CVSSv3.1 | 8.8 |
public static function parsePopupDataFromData($data)
{
$popupData = array();
$data = apply_filters('sgpbFilterOptionsBeforeSaving', $data);
foreach ($data as $key => $value) {
if ( !is_array( $value ) ) {
//Sanitize URL to avoid 404 error
if ( strpos( $key, '-url' ) === false )
$value = sanitize_text_field( $value );
else
$value = wp_sanitize_redirect( $value );
}
if (strpos($key, 'sgpb') === 0) {
$popupData[$key] = $value;
}
if (is_array($value) && isset($value['name']) && strpos($value['name'], 'sgpb') === 0) {
$popupData[$value['name']] = sanitize_text_field( $value['value'] );
}
else if (is_array($value) && isset($value['name']) && strpos($value['name'], 'post_ID') === 0) {
$popupData['sgpb-post-id'] = (int) sanitize_text_field( $value['value'] );
}
}
return $popupData;
}
The plugin presented a few inconsistencies in how it grabbed certain POST parameters across the plugin. Some places would directly use $_POST['key']
, whereas others would use the plugin’s SGPopup::parsePopupDataFromData();
method. This led to logic bugs, where the plugin would first check $_POST
in IF
conditional statements, but then grab the value of that parameter through the method to do things
This, combined with a sensitive post‑previewing function we found to be hooked on the WordPress init
action without any proper capability checks in place, led to us discovering this could be escalated to conduct Stored XSS attacks without requiring any type of accounts on the targeted site.
A proof of concept will be made available on the WPScan entry for this issue on January 1st, 2024.
Timeline
- 2023‑11‑07 – Details of the vulnerability sent to the Popup Builder team
- 2023‑11‑13 – Popup Builder 4.2.2 is released, but still vulnerable
- 2023‑11‑21 – We escalate the issue to WordPress.org’s Plugin team
- 2023‑12‑07 – Patch released by the Popup Builder team on version 4.2.3
Credits
Original research: Marc Montpas
Thanks to the rest of the WPScan team for feedback, help, and corrections.