CVE-2020-10196Cross-site Scripting in Popup Builder

CWE-79Cross-site Scripting5 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 54.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Sygnoos Popup Builder
Timeline
PublishedMar 13
Latest updateMar 24

Description

An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of the popup's fields by sending a request to wp-admin/admin-ajax.php with the POST action parameter of sgpb_autosave and including additional data in an allPopupData parameter, including the popup's ID (

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

NVDsygnoos/popup_builder< 3.64.1

🔴Vulnerability Details

4
OSV
graphviz vulnerabilities2023-03-24
GHSA
GHSA-3mqf-h9j7-cgh5: An XSS vulnerability in the popup-builder plugin before 32022-05-24
OSV
graphviz vulnerabilities2022-02-03
CVEList
CVE-2020-10196: An XSS vulnerability in the popup-builder plugin before 32020-03-13
CVE-2020-10196 — Cross-site Scripting in Popup Builder | cvebase