CM Pop-Up banners < 1.4.11 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

When saving a new campaign, a user with edit_pages capabilities can store scripts in the campaign’s pop-up content. The code can then be executed on every page on the website.

Proof of Concept

A user with the edit_pages capability can store any script in the pop-up's content. The content is serialized and then saved as post_meta. Script tags are stripped, but on viewing the pop-up, the content is unserialized and script tags are added again. 

If the checkbox to show the popup on every page is checked, the script will be executed on every page. 

The editing function is accessible for the administrator and editor role, so any website with this plugin activated under version 1.4.10 and with a vulnerable user role from editor up, is vulnerable to site-wide XSS hacks. 

PoC video: https://www.youtube.com/watch?v=0T7sHJwkP5o

Affects Plugins

cm-pop-up-banners

Fixed in 1.4.11

References

URL

https://jrjmulder.nl/plugins/cm-pop-up-banners-for-wordpress-1-4-10-authenticated-stored-xss/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Jeroen Mulder

Submitter

Jeroen Mulder

Submitter website

https://jrjmulder.nl

Verified

No

WPVDB ID

b9d2f603-fd4a-4028-9799-7a88f2ce279c

Timeline

Publicly Published

2020-03-27 (about 6 years ago)

Added

2020-03-27 (about 6 years ago)

Last Updated

2020-03-28 (about 6 years ago)

Other

Published

Title

Published

2025-09-09

Title

PowerPack Lite for Elementor < 2.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Via 'cursor_url'

Published

2021-05-26

Title

Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)

Published

2025-02-21

Title

WooCommerce HTML5 Video <= 1.7.10 - Reflected Cross-Site Scripting

Published

2024-09-24

Title

Website Builder by SeedProd < 6.18.4 - Editor+ Stored XSS

Published

2014-08-01

Title

IgnitionDeck 1.1 - Purchase Form Unspecified XSS