CVE-2020-36715: 
WordPress vulnerability analysis and mitigation

The Login/Signup Popup plugin for WordPress (versions up to and including 1.4) contains an authorization bypass vulnerability (CVE-2020-36715) due to missing capability checks on several functions. This vulnerability was discovered and disclosed in May 2020 (NVD).

The vulnerability stems from missing authorization checks on multiple plugin functions, which allows authenticated attackers to inject arbitrary web scripts into the plugin settings. The severity is rated as MEDIUM with a CVSS v3.1 base score of 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) according to NVD, though Wordfence rates it as HIGH with a score of 7.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L) (NVD).

If successfully exploited, attackers can inject malicious web scripts into the plugin settings. These scripts will execute when users perform certain actions, such as clicking on a link. This could lead to potential compromise of user data or unauthorized actions being performed on behalf of the victim (NVD).

The vulnerability has been fixed in version 1.5 of the Login/Signup Popup plugin. Users are advised to update to this version or later to protect against this security issue (Patchstack).