Lucene search
WpvulndbWPVDB-ID:B6AC3E15-6F39-4514-A50D-CCA7B9457736HistoryApr 17, 2023 - 12:00 a.m.
WP Popups < 2.1.5.1 - Contributor+ Stored XSS
2023-04-1700:00:00
wpscan.com
5
wp popups
stored xss
contributor role
cross-site scripting
insufficient fix
cve-2023-24003
0.001 Low
EPSS
Percentile
23.5%
The plugin does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. This is due to an insufficient fix of CVE-2023-24003
PoC
[spu-facebook-page href=“javascript:alert(/XSS/)” name=“ClickMe!”] The XSS will be triggered when a user click on the ClickMe! link in the page where the shortcode is embed
| CPE | Name | Operator | Version |
|---|---|---|---|
| wp-popups-lite | lt | 2.1.5.1 |
Related
prion
prion
Cross site scripting
2023-05-08 14:15:00
Cross site scripting
2023-04-06 09:15:00
wpexploit
wpexploit
WP Popups < 2.1.5.1 - Contributor+ Stored XSS
2023-04-17 00:00:00
cve
cve
CVE-2023-1905
2023-05-08 14:15:13
CVE-2023-24003
2023-04-06 09:15:07
cvelist
cvelist
nvd
nvd
CVE-2023-1905
2023-05-08 14:15:13
CVE-2023-24003
2023-04-06 09:15:07
wpvulndb
wpvulndb
WP Popups < 2.1.4.9 - Contributor+ Stored XSS
2023-01-23 00:00:00
wordfence
wordfence