Headline

CVE-2022-28612: WordPress Custom Popup Builder plugin <= 1.3.1 - Improper Access Control vulnerability leading to multiple Authenticated Stored XSS - Patchstack

Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb’s Custom Popup Builder plugin <= 1.3.1 at WordPress.

2 years ago

CVE

Open in Source

#xss #vulnerability #wordpress #auth

Verified

Not fixed

5.4

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Popup | Custom Popup Builder

Vulnerable versions

<= 1.3.1

PSID

be2775a50917

Classification

Cross Site Scripting (XSS)

OWASP Top 10

A7: Cross-Site Scripting (XSS)

Required privilege

Requires contributor or higher role user authentication.

Publicly disclosed

2022-06-14

Details

Improper Access Control vulnerability leading to multiple Authenticated Stored XSS discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Custom Popup Builder plugin (versions <= 1.3.1).

Solution

Deactivate and delete. This plugin has been closed as of May 26, 2022 and is not available for download. This closure is temporary, pending a full review.

References

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago