CVE-2023-4962 in Video PopUp Plugin
Summary
by MITRE • 01/11/2024
The Video PopUp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'video_popup' shortcode in versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The Video PopUp plugin for WordPress presents a critical security vulnerability classified as CVE-2023-4962, affecting versions up to and including 1.1.3. This vulnerability manifests as a stored cross-site scripting flaw that specifically targets the plugin's 'video_popup' shortcode functionality, creating a persistent threat vector within WordPress environments. The issue stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's shortcode implementation. The vulnerability's impact extends beyond simple script execution as it provides authenticated attackers with the capability to inject malicious code that persists in the WordPress database, making it particularly dangerous in multi-user environments where contributors and higher-level roles can exploit this weakness.
The technical flaw resides in the plugin's insufficient validation of shortcode attributes, particularly those related to video popup configurations that users can manipulate through the WordPress admin interface. When an authenticated user with contributor-level permissions or higher creates or modifies content containing the vulnerable shortcode, the plugin fails to properly escape or sanitize the input parameters before rendering them in the output HTML. This allows attackers to inject malicious JavaScript code within the shortcode attributes, which gets stored in the database and subsequently executed whenever any user accesses pages containing the compromised shortcode. The vulnerability operates under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through malicious content.
The operational impact of this vulnerability is substantial as it enables attackers to leverage the privilege escalation inherent in contributor-level accounts to execute arbitrary scripts across the entire WordPress installation. Once compromised, the malicious code can perform various malicious activities including but not limited to session hijacking, data exfiltration, defacement of content, or redirection to malicious sites. The stored nature of the vulnerability means that the injected scripts persist indefinitely until manually removed, creating a continuous threat vector that can affect all users who access pages containing the compromised shortcode. This makes the vulnerability particularly dangerous in environments where multiple contributors regularly update content, as it increases the attack surface and potential exposure time.
Mitigation strategies for CVE-2023-4962 should begin with immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement strict input validation measures that sanitize all user-supplied attributes before processing, ensuring that any potentially malicious content is properly escaped or removed. Network segmentation and role-based access controls should be enforced to limit the privileges of users who can modify content containing shortcodes. Additionally, implementing content security policies and regular security audits of WordPress plugins can help identify similar vulnerabilities before they can be exploited. Security monitoring should include detection of unusual shortcode usage patterns and automated scanning for stored XSS vulnerabilities in commonly used plugins. The ATT&CK framework suggests implementing defensive measures such as web application firewalls and regular penetration testing to prevent exploitation of this class of vulnerability.