WordPress Plugin Vulnerabilities

Popup box < 3.8.6 - Admin+ Stored XSS in Popup Settings

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Add a new Popup
2. In the "Popups > Settings" section, add the PoC `"><script>alert(92)</script>` for any of the "Close Button" parameters.
3. Save and navigate back to the popups and see the XSS.

Affects Plugins

Plugin icon
ays-popup-box
Fixed in 3.8.6

References

CVE
CVE-2023-5874

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Verified
Yes
WPVDB ID
ebe3e873-1259-43b9-a027-daa4dbd937f3

Timeline

Publicly Published
2023-11-13 (about 6 months ago)
Added
2023-11-13 (about 6 months ago)
Last Updated
2023-11-13 (about 6 months ago)

Other

Published
Title
Published
2022-03-07
Title
Plezi < 1.0.3 - Unauthenticated Stored XSS
Published
2017-03-01
Title
Gwolle Guestbook <= 2.1.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2022-06-01
Title
Modern Events Calendar Lite < 6.3.0 - Authenticated Stored Cross-Site Scripting
Published
2019-06-26
Title
Live Chat Unlimited <= 2.8.3 - Stored Cross-Site Scripting (XSS)
Published
2024-04-22
Title
Advanced Floating Content Lite < 1.2.6 - Authenticated (Editor+) Stored Cross-Site Scripting