Popup Maker < 1.16.9 – Contributor+ Stored XSS via Shortcode | CVE 2022-4362 | Plugin Vulnerabilities

Description

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a user with the Contributor or above, create a new Popup (in Popup Maker menu) with "content" field containing [popup_close tag="script"]alert(/XSS/)[/popup_close].

The XSS will be triggered when previewing the Popup, as well as in Frontend pages (once the popup is published)

Alternatively, the shortcode can also be put directly in any post/page and the XSS will be triggered when the post/page will be previewed/viewed

Affects Plugins

Fixed in 1.16.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tin Pham aka TF1T

Submitter

Tin Pham aka TF1T

Verified

Yes

WPVDB ID

2660225a-e4c8-40f2-8c98-775ef2301212

Timeline

Publicly Published

2022-09-23 (about 3 years ago)

Added

2022-12-08 (about 3 years ago)

Last Updated

2022-12-08 (about 3 years ago)

Other

Published

Title

Published

2025-03-07

Title

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates < 5.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-11-10

Title

Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2025-09-22

Title

Maps for WP <= 1.2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-11-08

Title

Custom URL Shortener <= 0.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-07-14

Title

Slide Anything < 2.3.47 - Author+ Cross Site Scripting in slide title