# Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated)
# Exploit Author: Roel van Beurden
# Vendor Homepage:
# Software Link:
# Version: <1.16.5
# Tested on: WordPress 5.9 on Ubuntu 20.04

1. Description:
WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

2. Proof of Concept:
Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time  (overwrite the default '1 month' with XSS payload)
Click 'Add' what triggers the XSS payload

Payload examples:

<img src=x onerror=alert('XSS')>