CM Pop-Up banners < 1.4.11 - Authenticated Stored XSS



Description
When saving a new campaign, a user with edit_pages capabilities can store scripts in the campaign’s pop-up content. The code can then be executed on every page on the website. 
Proof of Concept
A user with the edit_pages capability can store any script in the pop-up's content. The content is serialized and then saved as post_meta. Script tags are stripped, but on viewing the pop-up, the content is unserialized and script tags are added again. 

If the checkbox to show the popup on every page is checked, the script will be executed on every page. 

The editing function is accessible for the administrator and editor role, so any website with this plugin activated under version 1.4.10 and with a vulnerable user role from editor up, is vulnerable to site-wide XSS hacks. 

PoC video: https://www.youtube.com/watch?v=0T7sHJwkP5o

Affects Plugin

fixed in version 1.4.11

References

URL https://jrjmulder.nl/plugins/cm-pop-up-banners-for-wordpress-1-4-10-authenticated-stored-xss/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Jeroen Mulder
Submitter Jeroen Mulder
Submitter Website https://jrjmulder.nl
Views 1048
Verified No
WPVDB ID 10154

Timeline

Publicly Published 2020-03-27 (about 2 months ago)
Added 2020-03-27 (about 2 months ago)
Last Updated 2020-03-28 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin