Popup Box WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Stored Cross-Site Scripting

A vulnerability in the Popup Box WordPress plugin, affecting versions prior to 5.5.0, allows for Cross-Site Request Forgery (CSRF) attacks. The plugin fails to properly validate nonces in the add_or_edit_popupbox() function before saving popup data. This flaw enables unauthenticated attackers to manipulate popups by injecting arbitrary JavaScript, which then executes in both the admin panel and the frontend. The exploitation occurs when an authenticated admin is tricked into visiting a malicious page.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected JavaScript is executed in the context of the user.

Reproduction

To reproduce this vulnerability, create a malicious HTML page with an auto-submitting form that targets the WordPress admin popup box management page. Include a payload in the popup description field, such as a script tag with JavaScript code, like an alert. When an authenticated admin visits the page, the form submission will create or modify a popup with the injected script, which will then execute when the popup is loaded.

Remediation

Users are advised to update the Popup Box WordPress plugin to version 5.5.0 or later.