WordPress Plugin Popup Maker <1.19.1 Stored XSS Vulnerability (CVE-2024-5561)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Plugin Name: Popup Maker < 1.19.1 2. Vulnerability Type: Admin+ Stored XSS 3. Description: The plugin does not properly sanitize or escape certain settings, allowing high-privilege users (such as administrators) to perform stored cross-site scripting attacks when unfiltered HTML capability is disabled. 4. Proof of Concept: - While an administrator creates or edits a post, use a specific shortcode. - In the plugin settings, add a specific payload to the “Success Message” field. - After the user submits the post, the XSS will be triggered. 5. Affected Plugin: popup 6. References: - CVE ID: CVE-2024-5561 - URL: https://research.cleantalk.org/cve-2024-5561/ 7. Classification: - Type: XSS - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE ID: CWE-79 8. Additional Information: - Original Researcher: Dmitrii Ignatyev - Submitter: Dmitrii Ignatyev - Submitter Website: https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/ - Verified: Yes - WPVDB ID: 6a87cc25-bd7d-40e3-96f9-26646cd6f736 - Publication Date: 2024-08-19 - Added Date: 2024-08-19 - Last Updated Date: 2024-08-19 - Other Vulnerabilities Listed: - Pz-LinkCard < 2.5.3 - Reflected XSS - FV Flowplayer Video Player < 7.5.35.7212 - Reflected XSS - SP Project & Document Manager < 4.68 - Admin+ Stored XSS - Martins Free & Easy SEO Link buildings < 1.2.30 - Reflected XSS - flowpaper < 2.0.4 - Contributor+ Stored XSS This information provides a detailed description of the vulnerability, steps to exploit it, its classification, and reference details.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Plugin Popup Maker <1.19.1 Stored XSS Vulnerability (CVE-2024-5561)

More from this source