Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-1104

CWE-79Cross-site Scripting (XSS)CWE-11045 documents5 sources
Severity
4.8MEDIUM
EPSS
13.5%
top 5.78%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Code-atlantic Popup Maker
Timeline
PublishedMay 9
Latest updateJan 17

Description

The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-3rvm-p49f-2hqp: The Popup Maker WordPress plugin before 12022-05-10
CVEList
Popup Maker < 1.16.5 - Admin+ Stored Cross-Site Scripting2022-05-09

💥Exploits & PoCs

1
Exploit-DB
WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)2022-04-19

📋Vendor Advisories

1
Red Hat
Mozilla: libusrsctp library out of date2023-01-17
CVE-2022-1104 (MEDIUM CVSS 4.8) | The Popup Maker WordPress plugin be | cvebase.io