CM Popup Plugin for WordPress < 1.6.6 – Contributor+ Stored XSS | CVE 2024-5004 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

1. As admin, create a new campaign (wp-admin/post-new.php?post_type=cm-ad-item)

2. In the option, put the following payload in the Basic Visual > Width field: `asd</style><script>alert(1)</script>`

3. At https://example.com/wp-admin/edit.php?post_type=cm-ad-item preview the campaign to see the XSS

Note: Multiple fields are vulnerable

Affects Plugins

cm-pop-up-banners

Fixed in 1.6.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Caon

Submitter

caon

Submitter website

https://caon.io

Verified

Yes

WPVDB ID

4bea7baa-84a2-4b21-881c-4f17822329e7

Timeline

Publicly Published

2024-07-01 (about 1 year ago)

Added

2024-07-01 (about 1 year ago)

Last Updated

2024-07-01 (about 1 year ago)

Other

Published

Title

Published

2025-03-03

Title

Form Maker by 10Web < 1.15.30 - Admin+ Stored XSS

Published

2025-04-24

Title

360 View <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-11

Title

SKT Skill Bar < 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-31

Title

Media Library Tools < 1.5.0 - Author+ Stored XSS via SVG

Published

2024-03-26

Title

Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More < 13.2.6 - Reflected Cross-Site Scripting