← back
CVE-2023-6000

Popup Builder < 4.2.3 - Unauthenticated Stored XSS

CVSS 6.1 MEDIUMEPSS 2.0%
Vexday Risk Score
28Low
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.1EPSS 2.0%KEV nãoPoC Nuclei simMetasploit Patch
Lifecycle
01 Jan 2024Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Unknown · Popup Builder

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/blog/stored-xss-fixed-in-popup-builder-4-2-3/https://wpscan.com/vulnerability/cdb3a8bd-4ee0-4ce0-9029-0490273bcfc8