Popup Maker < 1.16.9 – Contributor+ Stored XSS via Shortcode | CVE 2022-4362 | Plugin Vulnerabilities

Description

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a user with the Contributor or above, create a new Popup (in Popup Maker menu) with "content" field containing [popup_close tag="script"]alert(/XSS/)[/popup_close].

The XSS will be triggered when previewing the Popup, as well as in Frontend pages (once the popup is published)

Alternatively, the shortcode can also be put directly in any post/page and the XSS will be triggered when the post/page will be previewed/viewed

Affects Plugins

Fixed in 1.16.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tin Pham aka TF1T

Submitter

Tin Pham aka TF1T

Verified

Yes

WPVDB ID

2660225a-e4c8-40f2-8c98-775ef2301212

Timeline

Publicly Published

2022-09-23 (about 1 years ago)

Added

2022-12-08 (about 1 years ago)

Last Updated

2022-12-08 (about 1 years ago)

Other

Published

Title

Published

2020-11-12

Title

BA Book Everything < 1.3.25 - Unauthenticated Reflected XSS & XFS

Published

2024-01-05

Title

Orbit Fox Companion < 2.10.27 - Contributor+ Stored XSS

Published

2021-11-01

Title

My Calendar < 3.2.18 - Subscriber+ Reflected Cross-Site Scripting

Published

2024-02-14

Title

Premium Addons for Elementor < 4.10.19 - Contributor+ Stored Cross-Site Scripting

Published

2015-02-01

Title

Incoming Links <= 0.9.9b - referrers.php XSS