When saving a new campaign, a user with administrator capabilities can store scripts in the plugin’s options. The code can then be executed on every page or post on the website.
Proof of concept
Proof of concept will be posted later, to give users the time to update.
Plugin name: CM Pop-Up banners for WordPress Plugin
Plugin Author: Sayan Datta
- Wednesday, april 1st 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
- Thursday, April 2nd 2020: Vulnerability fixed by plugin author in version 1.6.6
- Friday, april 3rd 2020: Vulnerability posted to wpvulndb.com