CVE-2023-6000

medium

Description

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

References

Exploits
More

https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign-infects-6-700-wordpress-sites/

https://wpscan.com/vulnerability/cdb3a8bd-4ee0-4ce0-9029-0490273bcfc8

https://wpscan.com/blog/stored-xss-fixed-in-popup-builder-4-2-3/

Details

Source: Mitre, NVD

Published: 2024-01-01

Updated: 2024-01-08

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N