Popup box < 3.8.6 – Admin+ Stored XSS in Categories | CVE 2023-5809

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Go to "Popup Box > Categories"
2. Add a new category and in the description field add `<script>alert(1)</script>`
3. Save and see the XSS

Affects Plugins

ays-popup-box

Fixed in 3.8.6

References

CVE

CVE-2023-5809

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Rafael Aristodimou

Submitter

Rafael Aristodimou

Verified

Yes

WPVDB ID

f1eb05e8-1b7c-45b1-912d-f668bd68e265

Timeline

Publicly Published

2023-11-13 (about 6 months ago)

Added

2023-11-13 (about 6 months ago)

Last Updated

2023-11-13 (about 6 months ago)

Other

Published

Title

Published

2022-08-29

Title

Beaver Builder < 2.5.5.3 - Authenticated Stored XSS via Image URL

Published

2021-02-10

Title

All In One WP Security & Firewall < 4.4.6 - Authenticated Cross-Site Scripting (XSS)

Published

2022-02-21

Title

Patreon WordPress < 1.8.2 - Admin+ Stored Cross-Site Scripting

Published

2017-07-24

Title

Simple Custom CSS and JS <= 3.3 - Authenticated Cross-Site Scripting (XSS)

Published

2021-10-25

Title

Ninja Tables < 4.1.8 - Admin+ Stored Cross-Site Cross-Site Scripting