WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated)

vendor:

Popup Maker

by:

Roel van Beurden

8.8

CVSS

HIGH

Persistent Cross-Site Scripting (Authenticated)

CWE

Product Name: Popup Maker

Affected Version From: <1.16.5

Affected Version To: <1.16.5

Patch Exists: YES

Related CWE:

CPE: a:wppopupmaker:popup_maker

Metasploit:

Other Scripts:

Platforms Tested: WordPress 5.9 on Ubuntu 20.04

2022

WordPress Plugin Popup Maker <1.16.5 – Persistent Cross-Site Scripting (Authenticated)

WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Mitigation:

Upgrade to version 1.16.5 or later.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated)
# Date: 2022-03-03
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://wppopupmaker.com
# Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip
# Version: <1.16.5
# Tested on: WordPress 5.9 on Ubuntu 20.04


1. Description:
----------------------
WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.


2. Proof of Concept:
----------------------
Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time  (overwrite the default '1 month' with XSS payload)
Click 'Add' what triggers the XSS payload

Payload examples:

<script>alert('XSS');</script>
<img src=x onerror=alert('XSS')>