woo-popup Plugin class-woo-popup-admin.php cross site scripting
Description
A vulnerability classified as problematic has been found in woo-popup Plugin up to 1.2.2 on WordPress. This affects an unknown part of the file admin/class-woo-popup-admin.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.3.0 is able to address this issue. The patch is named 7c76ac78f3e16015991b612ff4fa616af4ce9292. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222327.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/woo-popup Plugindescription
Patches
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize user-supplied input before rendering it in the admin interface, leading to cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by crafting a malicious input that is then displayed within the WordPress admin area. This input is not properly escaped, allowing arbitrary JavaScript to be executed in the context of another administrator's browser. The vulnerability is present in the admin interface of the plugin, making it accessible remotely to authenticated users with administrative privileges. [CWE-79]
Affected code
The vulnerability resides in the `admin/class-woo-popup-admin.php` file within the woo-popup plugin. The changes in the patch indicate that the handling of `popup_content` and `popup_theme` options, particularly when using `wp_editor` and select elements, was the focus of the fix. [patch_id=4375412]
What the fix does
The patch addresses the cross-site scripting vulnerability by ensuring that user-supplied content is properly escaped before being displayed. Specifically, the code related to the `popup_content` and `popup_theme` options is modified to include sanitization or escaping mechanisms. This prevents malicious scripts embedded in these fields from being executed when the admin page is rendered. [patch_id=4375412]
Preconditions
- authThe attacker must have administrative privileges on the WordPress site.
- networkThe attack can be initiated remotely.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/wp-plugins/woo-popup/commit/7c76ac78f3e16015991b612ff4fa616af4ce9292mitrepatch
- github.com/wp-plugins/woo-popup/releases/tag/1.3.0mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.