Popup Maker < 1.16.11 – Contributor+ Stored Cross Site Scripting | CVE 2022-3690 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins

Proof of Concept

Create a New popup
Insert pop-up name, title, and body text. 
Add a new trigger with default settings, choose "Click Open" and under "On Popup Close" then click add.
Click add new cookie and in the cookie name add the payload as cookie name: <script>alert("XSS")</script>
The XSS will be triggered when editing a trigger

Affects Plugins

Fixed in 1.16.11

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

c3p0d4y

Submitter

c3p0d4y

Submitter twitter

https://twitter.com/c3p01337

Verified

Yes

WPVDB ID

725f6ae4-7ec5-4d7c-9533-c9b61b59cc2b

Timeline

Publicly Published

2022-10-31 (about 3 years ago)

Added

2022-10-31 (about 3 years ago)

Last Updated

2022-12-08 (about 3 years ago)

Other

Published

Title

Published

2022-11-28

Title

FlyingPress < 3.9.7 - Arbitrary Settings Update to Stored XSS

Published

2025-06-27

Title

WP DataTable <= 0.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-12-17

Title

Embed Any Document < 2.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-11

Title

Tabbed Login Widget <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-06

Title

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid < 7.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting