Popup Box < 3.7.9 – Admin+ Stored XSS | CVE 2023-5343 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Proof of Concept

1) Create a new popup via /wp-admin/admin.php?page=ays-pb&action=add
2) Set its "Custom content" and "Popup description" fields to the following: <script>alert(1);</script>
3) Save, and notice the alert box appearing when re-editing the popup, and visiting the website.

Affects Plugins

Fixed in 3.7.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rafael Aristodimou

Submitter

Rafael Aristodimou

Verified

Yes

WPVDB ID

74613b38-48f2-43d5-bae5-25c89ba7db6e

Timeline

Publicly Published

2023-10-27 (about 2 years ago)

Added

2023-10-27 (about 2 years ago)

Last Updated

2024-01-02 (about 1 year ago)

Other

Published

Title

Published

2014-08-01

Title

Better WP Security 3.6.3 - Online Backup Storage current_time Function Brute Force Disclosure

Published

2025-05-06

Title

CarDealerPress < 6.8.2505.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via saleclass Parameter

Published

2021-08-30

Title

Docket Cache < 21.08.02 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Connections Business Directory <= 0.7.9.3 - Pagination URL H&ling XSS

Published

2023-08-29

Title

Social Media & Share Icons < 2.8.4 - Reflected XSS