The WordPress plugin named “Popup Maker – Popup for opt-ins, lead gen, & more” has 700,00+ active installations and it also integrates with WooCommerce and many of the most popular contact forms such as Ninja Forms, Gravity Forms, Contact Form 7 (CF7), Caldera Forms, WPForms, Mailchimp for WordPress (MC4WP), Formidable Forms, and more with a host of addon features.
The Popup Maker Vulnerability
The Popup Maker is affected by a stored cross-site scripting (XSS) vulnerability where a malicious script injected into the plugin is done and stored on the server.
This specific vulnerability happens when an attacker gains the credentials of a legitimate user with at least a contributor level of access then uses those credentials to initiate the attack.
This is a kind of attack usually happens where there is an input that fails to sanitize what is being uploaded through the form.
The U.S. government National Vulnerability Database issued an advisory about this Stored Cross-Site Scripting vulnerability in the WordPress Popup Maker plugin.
The details of the WordPress Popup Maker vulnerability indicates that versions prior to 1.16.9 do not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.
It is advised that existing WordPress website owners that use this plugin