Cross-site scripting flaw in WordPress plugin Popup builder.

The Cross-site scripting attack on WordPress site:

Internet traffic is on the rise rapidly. Users like things that require less effort, and with quality work, WordPress is part of this.WordPress introduced in 2003, and there are millions of Wordpress websites hosted until now. Since we know that WordPress is a fixed website building block, each site has its purpose, and we are always trying to make it distinct from other websites not just by content but by structure. We've tried a lot of themes or plugins to attach additional functionality to WordPress-based sites, but are you sure the plugin is secure for your website or not vulnerable? Security is a vital part of website development, whether in terms of content, ads, and even up to user requirements or SEO, you can make your website the best. miniOrange investigates the behavior of requests and blocks the harmful IP before it reaches your site.

Check out miniOrange WP Security Pro: 

The vulnerabilities in WordPress site enables attackers to inject malicious scripts under the impression of a trustworthy individual and force the user to perform malicious activities. There is no way to verify that the script is coming from a trusted source or not. In WordPress, we may attach additional functionality to WordPress sites through plugins, but often excellent services do have some drawbacks. After plugin activation, not only does the plugin grab the website parameters, but it also adds its input fields in it, and the chances of vulnerability in these input fields are often possible. That list of input fields contains site search, comment form, contact form, login pages, etc. The real security measure is based on these input fields because hackers exploit vulnerabilities in input fields and add malicious code to the site.

How an XSS attack impacts a WordPress site?

The attacker injects malicious script, which mainly contains malicious links or some malicious programs that silently get installed into the system without user interaction. Sometimes it forces the user to provide additional information. As we know, we don’t need to log in again, and again, once we login to web application, it generates a cookie session, and we can able to access web application until the session gets expired. After the cookies get stolen, the intruder will able to reach the user account without a username & password and able to view all the applications that opened in the same browser.

There are three types of XSS:

  • The Reflective cross-site scripting attack is where the malicious script is injected from the client-side.

  • The persistent cross-site scripting attack is where the malicious script that is inserted by an attacker gets stored in the database, allowing the attacker to possibly retrieve information stored within the database.

    Reflective xss
  • The Dom cross-site scripting is a client-side attack. The malicious script directly executed after the execution of a legal server script.


The miniOrange framework focuses on "what is necessary?". Our team members evaluate those requirements and make products that satisfy the needs of the customer. For this, we have a tester team that is working 24 hours to provide you with the most robust security solution.

The XSS vulnerability in the “Pop-up builder” plugin

A few days earlier, miniOrange researchers got a flaw in the “Pop-up builder” plugin. The Pop-up builder plugin having a 200,000+ active installations, this plugin is useful for building and managing powerful model pop-ups for WordPress blogs and webpages.


The Pop-up builder plugin allows you to create pop-ups for your WordPress sites. Some input fields accept letters or numbers or filter plain text from the script, but this plugin allows us to add custom javascript on page load. It registers AJAX hook meant to enable the auto-saving of draft pop-ups.

-wp-security pro plugin

The function called on this hook is named a lacked nonce checks function in which an attacker can send a post request to wp-admin/admin-ajax.php with an array parameter, this POST request includes a malicious javascript payload. That malicious script is stored in the database and is executed on every page load.


The function attempts to avoid updates from being saved in 'publish' status to any popup. If no 'post_ID' parameter is supplied, this check will be bypassed, and the post ID provided in the 'allPopupData' parameter will be updated.

popup_builder_getSubscribersCsvFile popup_getSystemInfoFile popup_admin_post_sgpbSaveSettings

An attacker can get all subscriber level permission by sending $_POST request to admin-post.php with the 'action' parameter set to 'sgpbSaveSettings' and the 'sgpb-user-roles[]' set to subscriber.


Steps to replicate the issue:

  • Go to the Add New section of the plugin and after selection of image type, add a script in the title field, select image, and click on the Save button.

    popup_builder_new_popup-wp-security pro
  • The script is saved into the database after clicking on the save button.

    popup_builder_save_popup_xss -wp-security pro
  • Now, this script gets executed on every page load. Via Cross-site scripting, the attackers would also be able to steal cookies, session tokens and sometimes even force the end-user to submit additional information.

  • In this manner, hackers can change the whole behavior of the WordPress site but if you have WP Security Pro already installed on your site, miniOrange will block such suspicious requests and protect your site from attack.

    -wp-security pro

How to protect your WordPress site from Attackers?

miniOrange provides a security package for your WordPress site. In it, you can get a Web application firewall to get rid of malicious activities.

The miniOrange provides firewall based on two levels:

  • Website firewall based on plugin level:

    This will activate WAF after the WordPress load. This will block illegitimate requests after making a connection to WordPress. This will check Every Request in the plugin itself.

    -wp-security pro plugin

  • Website firewall on .htaccess level:

    At this level, WAF gets activated before the WordPress load. This level block illegitimate requests before any connection to WordPress. The illegal requests are gets blocked before any page gets loaded at this level.


The firewall service gets enabled on plugin activation. In the free version of WP Security Pro, you get some signatures to prevent your WordPress site from cross-site scripting (XSS).


WAF filters and blocks unauthorized requests which are coming from a web application and do not allow abuse of it.

-wp-security pro web aplication

Further Details:
Hello there!

Need Help? We are right here!

Contact miniOrange Support

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to