cbcvebase.
CVE-2022-1104
published 2022-05-09

CVE-2022-1104: The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to…

PriorityP336medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EXPLOIT
EPSS
53.90%
98.9th percentile
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Affected

1 ranges
VendorProductVersion rangeFixed in
code-atlanticpopup_maker< 1.16.51.16.5

Detection & IOCsextracted from sources · hover to see the quote

versionPopup Maker < 1.16.5
  • Monitor for unsanitized script injection in the Popup Maker 'Cookie Time' field under Popup Settings > Triggers > Add New Cookie. The XSS payload is stored in the Cookie Time parameter, which normally holds a value like '1 month'.
  • Alert on authenticated POST requests to WordPress Popup Maker plugin endpoints where the Cookie Time field contains script tags or JavaScript event handlers rather than a time-duration value.
  • ·The vulnerability is exploitable even when the WordPress 'unfiltered_html' capability is disallowed, meaning standard hardening of that capability does NOT prevent this attack.
  • ·Exploitation requires authentication as a high-privilege user (e.g., admin), so this is an authenticated Stored XSS, not an unauthenticated one.

CVSS provenance

nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.