CVE-2022-1750 in Sticky Popup Plugin
Summary
by MITRE • 06/13/2022
The Sticky Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ popup_title' parameter in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin level capabilities and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue mostly affects sites where unfiltered_html has been disabled for administrators and on multi-site installations where unfiltered_html is disabled for administrators.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2026
The CVE-2022-1750 vulnerability resides within the Sticky Popup WordPress plugin, specifically affecting versions up to and including 1.2. This security flaw represents a critical stored cross-site scripting vulnerability that exploits the 'popup_title' parameter, demonstrating a fundamental failure in input validation and output sanitization. The vulnerability's severity is amplified by its requirement for authenticated access, meaning only users with administrator-level privileges or higher can exploit it, though this still presents a significant risk to WordPress installations. The flaw operates through a classic stored XSS vector where malicious scripts are injected into the plugin's popup_title field and subsequently executed whenever affected pages are accessed by any user, regardless of their privileges.
The technical exploitation of this vulnerability occurs due to insufficient input sanitization mechanisms within the plugin's codebase, combined with inadequate output escaping practices. When administrators enter content into the popup_title field without proper validation, the system fails to sanitize the input before storing it in the database. This stored malicious content then gets rendered on web pages without appropriate HTML escaping, allowing attackers to inject JavaScript payloads that execute in the context of other users' browsers. The vulnerability's impact is particularly concerning in multi-site WordPress installations where unfiltered_html capabilities are restricted for administrators, as it provides a method for privilege escalation and persistent code execution within the target environment.
The operational implications of CVE-2022-1750 extend beyond simple script injection, as it enables attackers to establish persistent backdoors, steal user sessions, perform account takeover operations, and potentially escalate privileges further within the compromised WordPress environment. Attackers can leverage this vulnerability to inject malicious code that harvests sensitive information, modifies website content, or redirects users to malicious domains. The vulnerability's persistence stems from its stored nature, meaning the injected scripts remain active until manually removed from the database, potentially affecting all users who access pages containing the malicious content. This characteristic aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities in web applications, and represents a clear violation of secure coding practices that should prevent such injection attacks through proper input validation and output encoding.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the patched version of the Sticky Popup plugin, if available, or implementing temporary workarounds such as disabling the plugin entirely until a secure update can be deployed. Security monitoring should be enhanced to detect unusual administrative activities and content modifications within popup-related sections of the WordPress admin interface. Additionally, implementing proper input validation and output escaping mechanisms throughout the WordPress environment, as recommended by the OWASP Top Ten and MITRE ATT&CK framework, can help prevent similar vulnerabilities from occurring in other components. The vulnerability demonstrates the critical importance of validating all user inputs and properly escaping output in web applications, particularly in administrative interfaces where privileged users can introduce malicious content that affects the entire user base.