Stored Cross-Site Scripting | ww.wp.xz.cn

Resolved crzyhrse
(@crzyhrse)

2 years, 8 months ago

Don’t think this will be a concern for me on the single site I am using your plugin on, but wanted to let you know Wordfence is reporting this:

Popup Builder <= 4.1.15 – Authenticated (Admin+) Stored Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
CVE CVE-2023-3226
CVSS 4.4 (Medium)
Publicly Published August 28, 2023
Last Updated September 5, 2023
Researcher Dipak Panchal
Description
The Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Viewing 1 replies (of 1 total)

Plugin Support Jawada
(@jawada)

2 years, 8 months ago

Hi @crzyhrse

Thank you for bringing this to our attention. This issue has been fixed and in the testing stage, if you like to have the beta version, please contact us directly. You can visit the following link,

https://help.popup-builder.com/en/,

Regards

Viewing 1 replies (of 1 total)

The topic ‘Stored Cross-Site Scripting’ is closed to new replies.

1 reply
2 participants
Last reply from: Jawada
Last activity: 2 years, 8 months ago
Status: resolved