The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
History

Mon, 07 Oct 2024 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Code-atlantic
Code-atlantic popup Maker
Weaknesses CWE-79
CPEs cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*
Vendors & Products Code-atlantic
Code-atlantic popup Maker

Tue, 10 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Popup Maker
Popup Maker popup Maker Wp
CPEs cpe:2.3:a:popup_maker:popup_maker_wp:*:*:*:*:*:*:*:*
Vendors & Products Popup Maker
Popup Maker popup Maker Wp
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 09 Sep 2024 06:15:00 +0000

Type Values Removed Values Added
Description The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Title Popup Maker < 1.19.1 - Admin+ Stored XSS
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-09-09T06:00:01.342Z

Updated: 2024-09-10T15:03:35.881Z

Reserved: 2024-05-31T09:45:00.508Z

Link: CVE-2024-5561

cve-icon Vulnrichment

Updated: 2024-09-10T15:03:30.442Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-09T06:15:01.850

Modified: 2024-10-07T17:45:29.950

Link: CVE-2024-5561

cve-icon Redhat

No data.