Lucene search
Tin Pham aka TF1T WPEX-ID:2660225A-E4C8-40F2-8C98-775EF2301212HistorySep 23, 2022 - 12:00 a.m.
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Shortcode
2022-09-2300:00:00
Tin Pham aka TF1T
156
0.001 Low
EPSS
Percentile
23.5%
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
As a user with the Contributor or above, create a new Popup (in Popup Maker menu) with "content" field containing [popup_close tag="script"]alert(/XSS/)[/popup_close].
The XSS will be triggered when previewing the Popup, as well as in Frontend pages (once the popup is published)
Alternatively, the shortcode can also be put directly in any post/page and the XSS will be triggered when the post/page will be previewed/viewedRelated
prion
prion
Cross site scripting
2023-01-02 22:15:00
osv
osv
CVE-2022-4362
2023-01-02 22:15:17
cve
cve
CVE-2022-4362
2023-01-02 22:15:17
wpvulndb
wpvulndb
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Shortcode
2022-09-23 00:00:00
cvelist
cvelist
CVE-2022-4362 Popup Maker < 1.16.9 - Contributor+ Stored XSS via Shortcode
2023-01-02 21:49:24
nvd
nvd
CVE-2022-4362
2023-01-02 22:15:17
openvas
openvas
WordPress Popup Maker Plugin < 1.16.9 Multiple XSS Vulnerabilities
2023-02-23 00:00:00