CVE-2019-25744— WordPress plugin Popup Builder 跨站脚本漏洞

WordPress Popup Builder 3.49 Persistent Cross-Site Scripting

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field that execute when pages or posts display popup selections.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

WordPress plugin Popup Builder 跨站脚本漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Popup Builder 3.49版本存在跨站脚本漏洞，该漏洞源于在post_title参数中跳出选项标签，可能导致经过身份验证的攻击者执行持久性跨站脚本攻击。

N/A

N/A