Description
The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected Software
Related
{"id": "CVE-2022-2305", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-2305", "description": "The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)", "published": "2022-08-01T13:15:00", "modified": "2022-08-05T21:46:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2305", "reporter": "contact@wpscan.com", "references": ["https://wpscan.com/vulnerability/ea0180cd-e018-43ea-88b9-fa8e71bf34bf"], "cvelist": ["CVE-2022-2305"], "immutableFields": [], "lastseen": "2022-08-05T22:42:14", "viewCount": 12, "enchantments": {"twitter": {"counter": 3, "tweets": [{"link": "https://twitter.com/vulnonym/status/1554140741798068228", "text": "Let the annals of the day show that CVE-2022-2305... has been granted the moniker Doughty Sistrum\nhttps://t.co/AkhHQnfaIl", "author": "vulnonym", "author_photo": "https://pbs.twimg.com/profile_images/1235605772878438405/6p9IJVtn_400x400.jpg"}, {"link": "https://twitter.com/ThreatFeed/status/1555337821447077888", "text": "CVE-2022-2305 https://t.co/5DFdlyOVow", "author": "ThreatFeed", "author_photo": "https://abs.twimg.com/sticky/default_profile_images/default_profile_400x400.png"}]}, "score": {"value": 2.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "patchstack", "idList": ["PATCHSTACK:AE7094A1D77CE1023500CFB74E57A270"]}, {"type": "wpexploit", "idList": ["WPEX-ID:EA0180CD-E018-43EA-88B9-FA8E71BF34BF"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:EA0180CD-E018-43EA-88B9-FA8E71BF34BF"]}]}, "vulnersScore": 2.2}, "_state": {"twitter": 0, "score": 1660017089, "dependencies": 1660016946}, "_internal": {"score_hash": "57ec5cc7be7325a023b3ec859ec26cd9"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:timersys:popups:1.9.3.8"], "cpe23": ["cpe:2.3:a:timersys:popups:1.9.3.8:*:*:*:*:wordpress:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "timersys:popups", "version": "1.9.3.8", "operator": "le", "name": "timersys popups"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:timersys:popups:1.9.3.8:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.9.3.8", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wpscan.com/vulnerability/ea0180cd-e018-43ea-88b9-fa8e71bf34bf", "name": "https://wpscan.com/vulnerability/ea0180cd-e018-43ea-88b9-fa8e71bf34bf", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"wpvulndb": [{"lastseen": "2022-08-06T03:59:40", "description": "The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)\n\n### PoC\n\nOn http://target.tld/wp-admin/edit.php?post_type=spucpt&page;=spu_settings Add the payload \"> on the Affiliate link text field\n", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-07-05T00:00:00", "type": "wpvulndb", "title": "WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-2305"], "modified": "2022-07-05T17:38:34", "id": "WPVDB-ID:EA0180CD-E018-43EA-88B9-FA8E71BF34BF", "href": "https://wpscan.com/vulnerability/ea0180cd-e018-43ea-88b9-fa8e71bf34bf", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "wpexploit": [{"lastseen": "2022-08-06T03:59:40", "description": "The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)\n", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-07-05T00:00:00", "type": "wpexploit", "title": "WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-2305"], "modified": "2022-07-05T17:38:34", "id": "WPEX-ID:EA0180CD-E018-43EA-88B9-FA8E71BF34BF", "href": "", "sourceData": "On http://target.tld/wp-admin/edit.php?post_type=spucpt&page=spu_settings\r\n\r\nAdd the payload \"><script>alert(/XSS/)</script> on the Affiliate link text field", "cvss": {"score": 0.0, "vector": "NONE"}}], "patchstack": [{"lastseen": "2022-08-06T01:59:58", "description": "Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Raad Haddad in WordPress Popups plugin (versions <= 1.9.3.8).\n\n## Solution\n\n\nDeactivate and delete. This plugin has been closed as of July 5, 2022 and is not available for download. This closure is temporary, pending a full review.\r\n ", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "baseScore": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-07-07T00:00:00", "type": "patchstack", "title": "WordPress Popups plugin <= 1.9.3.8 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-2305"], "modified": "2022-07-07T00:00:00", "id": "PATCHSTACK:AE7094A1D77CE1023500CFB74E57A270", "href": "https://patchstack.com/database/vulnerability/popups/wordpress-popups-plugin-1-9-3-8-authenticated-stored-cross-site-scripting-xss-vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2022-2305
