Popup box < 3.7.2 – Admin+ Stored Cross-Site Scripting | CVE 2023-4390 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Proof of Concept

1. Create a new PopUp Box within the plugin.
2. In the "Custom Content" and Popup Description fields, enter the following payload when in text mode: <img src onerror=alert(/XSS/)>
3. The XSS will be triggered when editing the Popup up again, or when accessing the frontend (such as the homepage)

Affects Plugins

Fixed in 3.7.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Prasad Borvankar

Submitter

Prasad Borvankar

Verified

Yes

WPVDB ID

9fd2eb81-185d-4d42-8acf-925664b7cb2f

Timeline

Publicly Published

2023-08-29 (about 2 years ago)

Added

2023-10-09 (about 2 years ago)

Last Updated

2023-10-09 (about 2 years ago)

Other

Published

Title

Published

2023-12-05

Title

Soledad < 8.4.2 - Reflected Cross-Site Scripting

Published

2024-03-12

Title

HT Mega < 2.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via titleTag

Published

2017-04-12

Title

Multiple BestWebSoft Plugins - Authenticated Cross-Site Scripting (XSS)

Published

2021-10-05

Title

World Travel Information <= 1.0.0 - Reflected Cross-Site Scripting

Published

2024-05-24

Title

LuckyWP Table of Contents < 2.1.6 - Admin+ Stored XSS