← back
CVE-2019-25744

WordPress Popup Builder 3.49 Persistent Cross-Site Scripting

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79
WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field that execute when pages or posts display popup selections.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
Popup-Builder · Popup Builder
public PoCs found1
cve_referencewww.exploit-db.com/exploits/47518unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://popup-builder.com/https://wordpress.org/plugins/popup-builder/https://www.exploit-db.com/exploits/47518https://www.vulncheck.com/advisories/wordpress-popup-builder-persistent-cross-site-scripting