WordPress Plugin Vulnerabilities

CM Pop-Up Banners for WordPress < 1.7.3 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks.

Proof of Concept

Affects Plugins

Plugin icon
cm-pop-up-banners
Fixed in 1.7.3

References

CVE
CVE-2024-5799

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Eunho Kim
Submitter
Eunho Kim
Submitter website
https://aiton.tistory.com
Verified
Yes
WPVDB ID
3ee3023a-541c-40e6-8d62-24b4b110633c

Timeline

Publicly Published
2024-08-22 (about 1 year ago)
Added
2024-08-22 (about 1 year ago)
Last Updated
2024-08-22 (about 1 year ago)

Other

Published
Title
Published
2024-11-08
Title
Text Advertisements <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-07-16
Title
Easy Elementor Addons < 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-25
Title
WP-Lister Lite for Amazon < 2.6.9 - Reflected Cross-Site Scripting
Published
2024-06-06
Title
YITH Custom Login < 1.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-06-02
Title
Popup Maker < 1.20.5 - Contributor+ Stored XSS via popupID Parameter