Unauthenticated Arbitrary Popup Creation and Stored XSS Vulnerability in Popup Manager WordPress Plugin

Unauthenticated Arbitrary Popup Creation and Stored XSS Vulnerability in Popup Manager WordPress Plugin

CVE-2022-4125 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well

Learn more about our Wordpress Pen Testing.