WordPress Plugin Vulnerabilities

Popup Anything < 2.0.4 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

Affects Plugins

popup-anything-on-click

Fixed in version 2.0.4

References

CVE

CVE-2021-24883

URL

https://www.fortiguard.com/zeroday/FG-VD-21-069

URL

https://plugins.trac.wordpress.org/changeset/2610975

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Vishnupriya ilango

Submitter

Vishnupriya ilango

Submitter website

https://www.fortiguard.com/zeroday

Verified

Yes

WPVDB ID

c5dd3812-ea20-4e05-a5d3-84830b452822

Timeline

Publicly Published

2021-10-25 (about 1 years ago)

Added

2021-10-26 (about 1 years ago)

Last Updated

2022-04-13 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin