Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-6000

CWE-79Cross-site Scripting (XSS)11 documents8 sources
Severity
6.1MEDIUM
EPSS
64.0%
top 1.57%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Popup BuilderSygnoos Popup Builder
Timeline
PublishedJan 1
Latest updateMar 10

Description

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/popup_builder< 4.2.3

🔴Vulnerability Details

3
GHSA
GHSA-fhw3-qv5f-7vrw: The Popup Builder WordPress plugin before 42024-01-01
CVEList
Popup Builder < 4.2.3 - Unauthenticated Stored XSS2024-01-01
VulnCheck
sygnoos popup_builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2023

💥Exploits & PoCs

2
Exploit-DB
Saflok - Key Derication Function Exploit2024-02-28
Nuclei
WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS

📋Vendor Advisories

4
Chrome
Stable Channel Update for Desktop: CVE-2023-67052023-12-12
Chrome
Stable Channel Update for ChromeOS/ChromeOS Flex: CVE-2023-54762023-10-18
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-49042023-09-26
Chrome
Stable Channel Update for Desktop: CVE-2023-70122023-09-12

🕵️Threat Intelligence

1
Bleepingcomputer
Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware2024-03-10
CVE-2023-6000 (MEDIUM CVSS 6.1) | The Popup Builder WordPress plugin | cvebase.io