WP Popups < 2.1.5.1 – Contributor+ Stored XSS | CVE 2023-1905 | Plugin Vulnerabilities

Description

The plugin does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. This is due to an insufficient fix of CVE-2023-24003

Proof of Concept

[spu-facebook-page href="javascript:alert(/XSS/)" name="ClickMe!"]

The XSS will be triggered when a user click on the ClickMe! link in the page where the shortcode is embed

Affects Plugins

Fixed in 2.1.5.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

b6ac3e15-6f39-4514-a50d-cca7b9457736

Timeline

Publicly Published

2023-04-17 (about 2 years ago)

Added

2023-04-17 (about 2 years ago)

Last Updated

2023-04-17 (about 2 years ago)

Other

Published

Title

Published

2022-12-05

Title

Loginizer < 1.7.6 - Reflected XSS

Published

2020-10-07

Title

WPBakery Page Builder < 6.4.1 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-01-27

Title

ElementsKit Pro < 3.7.9 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via url Parameter

Published

2024-04-03

Title

Better Comments < 1.5.6 - Admin+ Stored XSS

Published

2024-06-20

Title

Master Slider < 3.10.5 - Reflected Cross-Site Scripting