CVE-2022-1104

MEDIUM

Code-atlantic Popup Maker < 1.16.5 - XSS

Title source: rule

Description

The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Exploits (1)

exploitdb WORKING POC

by Roel van Beurden · textwebappsphp

https://www.exploit-db.com/exploits/50876

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/4d4709f3-ad38-4519-a24a-73bc04b20e52

Scores

CVSS v3 4.8

EPSS 0.1350

EPSS Percentile 94.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

code-atlantic/popup_maker < 1.16.5

Published May 09, 2022

Tracked Since Feb 18, 2026