CVE-2024-5799 – CM Pop-Up Banners for WordPress < 1.7.3 - Contributor+ Stored XSS

https://notcve.org/view.php?id=CVE-2024-5799

The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks. The CM Pop-Up Banners for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via campaign data in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/3ee3023a-541c-40e6-8d62-24b4b110633c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •