Popup Manager <= 1.6.6 - Unauthenticated Stored XSS
CVE-2022-4125

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Popup Manager
Vendor: CVE Published:; 19 December 2022

Summary

The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well

Affected Version(s)

Popup Manager 0 <= 1.6.6

References

https://wpscan.com/vulnerability/7862084a-2821-4ef1-8d01-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 19, 2022
Vulnerability Reserved
Nov 23, 2022

Credit

Lana Codes