WordPress Plugin Vulnerabilities

Popup Anything < 2.1.7 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
popup-anything-on-click
Fixed in 2.1.7

References

CVE
CVE-2022-2115

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of WuHan University
Submitter
ZhongFu Su(JrXnm) of WuHan University
Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
1f0ae535-c560-4510-ae9a-059e2435ad39

Timeline

Publicly Published
2022-07-04 (about 3 years ago)
Added
2022-07-04 (about 3 years ago)
Last Updated
2023-04-07 (about 2 years ago)

Other

Published
Title
Published
2025-09-23
Title
WorkScout-Core < 1.7.06 - Reflected Cross-Site Scripting
Published
2025-09-26
Title
WP Ticket Customer Service Software & Support Ticket System < 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-06-06
Title
Kognetiks Chatbot for WordPress < 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-02
Title
Qubely < 1.8.5 - Contributor+ Stored XSS
Published
2023-10-29
Title
Related Products for WooCommerce < 3.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode