This vulnerability displays an XSS flaw in a WordPress popup plugin, allowing attackers to inject malicious JavaScript through a stored XSS# CVE-2023-6000-POC
This vulnerability allows an attacker to exploit a Cross-Site Scripting (XSS) flaw in the WordPress Popup Builder plugin.
The plugin fails to prevent regular visitors from modifying existing popups and by sending a specially crafted request to the server,
the attacker can inject malicious scripts into the popup, which will execute when users interact with the popup.
For this POC, the vulnerability will trigger by manipulating the popup’s opening behavior, where a simple alert script, will be injected to run when the popup opens.
This type of attack can lead to a range of issues, including unauthorized access to sensitive information and further exploitation of the affected website, potentially compromising user data or the entire site.
## Affected Versions
- Fixed Version : **Popup Builder 4.2.3**
- CVE-ID : **CVE-2023-6000**
- Type : **Stored XSS**
## Timeline
- 2023‑11‑07 – Details of the vulnerability sent to the Popup Builder team
- 2023‑11‑13 – Popup Builder 4.2.2 is released, but still vulnerable
- 2023‑11‑21 – We escalate the issue to WordPress.org’s Plugin team
- 2023‑12‑07 – Patch released by the Popup Builder team on version 4.2.3
[4.0K] /data/pocs/60efb3f492101a8b512a70ddbd76d723cedfd8d7
├── [2.7K] Environment Setup.md
├── [3.7K] Exploit.md
└── [1.2K] README.md
0 directories, 3 files