WordPress Plugin Vulnerabilities

Simple Popup Images <= 1.8.6 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
simple-popup
No known fix

References

CVE
CVE-2023-24406

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
281c2cf2-3d0a-46e1-a671-fe2b692d45d1

Timeline

Publicly Published
2023-04-13 (about 1 years ago)
Added
2023-05-10 (about 1 years ago)
Last Updated
2023-05-10 (about 1 years ago)

Other

Published
Title
Published
2021-10-05
Title
WP-Recall < 16.24.48 - Reflected Cross-Site Scripting
Published
2016-09-22
Title
Google Document Embedder < 2.6.1 - XSS
Published
2019-04-09
Title
WP Statistics <= 12.6.3 - Referer Cross-Site Scripting (XSS)
Published
2023-09-26
Title
flowpaper < 2.0.4 - Contributor+ Stored XSS
Published
2024-04-26
Title
Smart Recent Posts Widget <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting