## FULL DISCLOSURE #Product : Unlimited Pop-Ups WordPress Plugin #Exploit Author : Rahul Pratap Singh #Version : 1.4.3 #Home page Link : http://codecanyon.net/item/unlimited-popups-wordpress-plugin/8575498 #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 21/4/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "callback, shortcode, id, and page" parameters are not sanitized that leads to Reflected XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/admin_form.php Found at line:1319 echo '

'; File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/admin_ajax.php Found at line:162 echo ''; File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/sample-code/dynamic-sidebar-setup/theme_dynamic_sidebars.php Found at line:139 File Name: testfiles/Unlimited Pop-Ups WordPress Plugin/upload/cj-popups/framework/includes/options/core_import_export.php Found at line:94 echo ''; ---------------------------------------- Fix: Update to 1.4.4 Vulnerability Disclosure Timeline: → March 12, 2016 – Bug discovered, initial report to Vendor → March 14, 2016 – Vendor Acknowledged → March 30, 2016 – Vendor Deployed a Patch Pub Ref: https://0x62626262.wordpress.com/2016/04/21/unlimited-pop-ups-wordpress-plugin-xss-vulnerability/ http://codecanyon.net/item/unlimited-popups-wordpress-plugin/8575498