CVE-2023-5561 in WordPress
Summary
by MITRE • 10/25/2023
The Popup Builder WordPress plugin through 4.1.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/07/2026
The vulnerability identified as CVE-2023-5561 affects the Popup Builder WordPress plugin version 4.1.15 and earlier, representing a critical stored cross-site scripting flaw that undermines the security of WordPress installations. This issue specifically targets high-privilege users such as administrators who possess the capability to modify plugin settings, making it particularly dangerous in multi-site environments where security controls are often more stringent. The vulnerability stems from insufficient sanitization and escaping of user-provided input within the plugin's settings handling mechanisms, creating a persistent XSS attack vector that can be exploited even when the unfiltered_html capability has been restricted.
The technical flaw manifests in the plugin's failure to properly validate and sanitize data entered through its administrative interface, particularly when processing popup configuration settings. When administrators configure popup elements or enter content through the plugin's user interface, the input data is stored in the WordPress database without adequate sanitization measures. This allows malicious scripts to be injected and persisted within the plugin's configuration, which then executes whenever the popup settings are rendered or processed. The vulnerability is classified under CWE-79 as a Cross-Site Scripting weakness, specifically a stored variant where the malicious payload is permanently stored on the server and executed against unsuspecting users who access the affected pages.
The operational impact of this vulnerability extends beyond simple script execution, as it can be leveraged to perform sophisticated attacks that compromise user sessions, steal sensitive information, or manipulate the plugin's functionality. In a multi-site WordPress setup where the unfiltered_html capability is typically restricted to prevent XSS attacks, this vulnerability effectively bypasses those security measures, allowing administrators to inject malicious code that persists across user sessions. Attackers can exploit this flaw to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, or further privilege escalation within the WordPress environment. The stored nature of the vulnerability means that the malicious code remains active until manually removed from the plugin's settings, making it particularly insidious as it can affect multiple users over extended periods.
Mitigation strategies for CVE-2023-5561 should prioritize immediate plugin updates to version 4.1.16 or later, which contain the necessary patches to address the sanitization issues. System administrators should also implement additional security measures such as restricting administrative privileges to only trusted users, monitoring plugin settings for unauthorized modifications, and conducting regular security audits of WordPress installations. The vulnerability aligns with ATT&CK technique T1548.002 (Abuse Elevation Control Mechanism) as it allows privilege escalation through the manipulation of plugin settings, and T1100 (Web Shell) as the stored XSS can be used to establish persistent access. Organizations should also consider implementing Content Security Policy headers and regular security scanning to detect similar vulnerabilities in other plugins or themes, as this type of flaw frequently occurs in WordPress plugins that fail to properly sanitize user input.