WordPress Plugin Popup Maker 1.16.5 – Stored Cross-Site Scripting (Authenticated)

• Exploit Database
• 17 阅读

• 作者： Roel van Beurden
  日期： 2022-04-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50876/

• # Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated)
  # Date: 2022-03-03
  # Exploit Author: Roel van Beurden
  # Vendor Homepage: https://wppopupmaker.com
  # Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip
  # Version: <1.16.5
  # Tested on: WordPress 5.9 on Ubuntu 20.04
  
  
  1. Description:
  ----------------------
  WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
  
  
  2. Proof of Concept:
  ----------------------
  Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time(overwrite the default '1 month' with XSS payload)
  Click 'Add' what triggers the XSS payload
  
  Payload examples:
  
  <script>alert('XSS');</script>
  <img src=x onerror=alert('XSS')>