When saving a new campaign, a user with edit_pages capabilities can store scripts in the campaign’s pop-up content. The code can then be executed on every page on the website.
Proof of concept
Proof of concept will be posted later, to give users the time to update.
- Tuesday, march 24th 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
- Friday, march 27th 2020: Vulnerability fixed by plugin author in version 1.4.11