WordPress Plugin Vulnerabilities

WP Popups < 2.1.5.1 - Contributor+ Stored XSS

Description

The plugin does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. This is due to an insufficient fix of CVE-2023-24003

Proof of Concept

[spu-facebook-page href="javascript:alert(/XSS/)" name="ClickMe!"]

The XSS will be triggered when a user click on the ClickMe! link in the page where the shortcode is embed

Affects Plugins

Plugin icon
wp-popups-lite
Fixed in 2.1.5.1

References

CVE
CVE-2023-1905

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
b6ac3e15-6f39-4514-a50d-cca7b9457736

Timeline

Publicly Published
2023-04-17 (about 1 years ago)
Added
2023-04-17 (about 1 years ago)
Last Updated
2023-04-17 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
Xorbin Digital Flash Clock 1.0 - Flash-based XSS
Published
2015-05-12
Title
Modern Theme <= 1.4.1 - DOM Cross-Site Scripting (XSS)
Published
2021-08-24
Title
Live Scores for SportsPress < 1.9.1 - Reflected Cross-Site Scripting
Published
2024-04-22
Title
Royal Elementor Addons and Templates < 1.3.972 - Contributor+ Stored Cross-Site Scripting via Flip Carousel, Flip Box, Post Grid, and Taxonomy List Widget Attributes
Published
2023-05-23
Title
WordPress File Upload and WordPress File Upload Pro < 4.19.2 - Admin+ Stored Cross-Site Scripting