WordPress Popup Maker 1.16.5 Cross Site Scripting

2022.04.24

Credit: Roel van Beurden

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated)
# Date: 2022-03-03
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://wppopupmaker.com
# Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip
# Version: <1.16.5
# Tested on: WordPress 5.9 on Ubuntu 20.04
1. Description:
----------------------
WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
2. Proof of Concept:
----------------------
Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time (overwrite the default '1 month' with XSS payload)
Click 'Add' what triggers the XSS payload
Payload examples:
<script>alert('XSS');</script>
<img src=x onerror=alert('XSS')>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Popup Maker 1.16.5 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.