Popular WordPress plugin Popup Maker was discovered to have a XSS vulnerability that could allow an attacker to upload malicious JavaScript<\/a>.<\/p>\n\n\n\n
The WordPress<\/a> plugin named “Popup Maker \u2013 Popup for opt-ins, lead gen, & more” has 700,00+ active installations and it also integrates with WooCommerce and many of the most popular contact forms such as Ninja Forms, Gravity Forms, Contact Form 7 (CF7), Caldera Forms, WPForms, Mailchimp for WordPress (MC4WP), Formidable Forms, and more with a host of addon features.<\/p>\n\n\n\n
The Popup Maker is affected by a stored cross-site scripting (XSS) vulnerability where a malicious script injected into the plugin is done and stored on the server.<\/p>\n\n\n\n
This specific vulnerability happens when an attacker gains the credentials of a legitimate user with at least a contributor level of access then uses those credentials to initiate the attack.<\/p>\n\n\n\n
This is a kind of attack usually happens where there is an input that fails to sanitize what is being uploaded through the form.<\/p>\n\n\n\n
The U.S. government National Vulnerability Database<\/a> issued an advisory about this Stored Cross-Site Scripting vulnerability in the WordPress Popup Maker plugin.<\/p>\n\n\n\n