CVE-2020-10196

An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of the popup's fields by sending a request to wp-admin/admin-ajax.php with the POST action parameter of sgpb_autosave and including additional data in an allPopupData parameter, including the popup's ID (which is visible in the source of the page in which the popup is inserted) and arbitrary JavaScript which will then be executed in the browsers of visitors to that page. Because the plugin functionality automatically adds script tags to data entered into these fields, this injection will typically bypass most WAF applications.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://wpvulndb.com/vulnerabilities/10127	Third Party Advisory
https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-over-100000-sites/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sygnoos:popup-builder:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2020-03-13 16:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-10196

Mitre link : CVE-2020-10196

CVE.ORG link : CVE-2020-10196

JSON object : View

Products Affected

sygnoos

popup-builder

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-10196", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-03-13T16:15:12.267", "references": [{"url": "https://wpvulndb.com/vulnerabilities/10127", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-over-100000-sites/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of the popup's fields by sending a request to wp-admin/admin-ajax.php with the POST action parameter of sgpb_autosave and including additional data in an allPopupData parameter, including the popup's ID (which is visible in the source of the page in which the popup is inserted) and arbitrary JavaScript which will then be executed in the browsers of visitors to that page. Because the plugin functionality automatically adds script tags to data entered into these fields, this injection will typically bypass most WAF applications."}, {"lang": "es", "value": "Una vulnerabilidad de tipo XSS en el plugin popup-builder versiones anteriores a 3.64.1 para WordPress, permite a atacantes remotos inyectar JavaScript arbitrario en los ventanas emergentes existentes por medio de una acci\u00f3n ajax no segura en el archivo com/classes/Ajax.php. Es posible que un atacante no autenticado inserte JavaScript malicioso en varios de los campos de la ventana emergente mediante el env\u00edo de una petici\u00f3n al archivo wp-admin/admin-ajax.php con el par\u00e1metro POST action de sgpb_autosave e incluyendo datos adicionales en un par\u00e1metro allPopupData, incluyendo el ID de la ventana emergente (que es visible en la fuente de la p\u00e1gina en la que se inserta la ventana emergente) y JavaScript arbitrario que luego ser\u00e1 ejecutado en los navegadores de los visitantes a esa p\u00e1gina. Debido a que la funcionalidad del plugin incorpora autom\u00e1ticamente etiquetas de script en los datos introducidos en estos campos, esta inyecci\u00f3n t\u00edpicamente omitir\u00e1 la mayor\u00eda de las aplicaciones WAF."}], "lastModified": "2020-03-18T16:49:36.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sygnoos:popup-builder:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "B8D3F7DC-D503-4716-974F-01B47E70E3F7", "versionEndExcluding": "3.64.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}