WordPress Plugin Vulnerabilities

WP Popups < 2.1.4.9 - Contributor+ Stored XSS

Description

The plugin does not validate and escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wp-popups-lite
Fixed in 2.1.4.9

References

CVE
CVE-2023-24003

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
Yes
WPVDB ID
4fd21aff-0fcb-459b-8792-80e0671c510e

Timeline

Publicly Published
2023-01-23 (about 3 years ago)
Added
2023-04-06 (about 3 years ago)
Last Updated
2023-04-06 (about 3 years ago)

Other

Published
Title
Published
2025-10-03
Title
Jeg Elementor Kit < 2.7.0 - Author+ Stored XSS
Published
2017-11-21
Title
Emag Marketplace Connector 1.0 - Unauthenticated Cross-Site Scripting (XSS)
Published
2023-03-02
Title
Easy Testimonial Slider and Form < 1.0.16 - Reflected Cross-Site Scripting
Published
2022-04-19
Title
th23 Social <= 1.2.0 - Admin+ Stored Cross-Site Scripting
Published
2024-04-15
Title
Code Insert Manager (Q2W3 Inc Manager) <= 2.5.3 - Reflected Cross-Site Scripting