CVE-2023-6000

MEDIUM EXPLOITED NUCLEI

Sygnoos Popup Builder < 4.2.3 - XSS

Title source: rule

Description

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

Exploits (1)

nomisec WORKING POC 1 stars

by RonF98 · client-side

https://github.com/RonF98/CVE-2023-6000-POC

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS

MEDIUMVERIFIEDby riteshs4hu

FOFA: body="/wp-content/plugins/popup-builder"

References (2)

[Exploit, Third Party Advisory] https://wpscan.com/blog/stored-xss-fixed-in-popup-builder-4-2-3/

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/cdb3a8bd-4ee0-4ce0-9029-0490273bcfc8

Scores

CVSS v3 6.1

EPSS 0.6912

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2024-01-10

CWE

CWE-79

Status published

Products (1)

sygnoos/popup_builder < 4.2.3

Published Jan 01, 2024

Tracked Since Feb 18, 2026