CVE-2022-2404: 
WordPress vulnerability analysis and mitigation

The WP Popup Builder WordPress plugin before version 1.2.9 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in September 2022 and assigned CVE-2022-2404. The issue affects all versions of the plugin up to and including version 1.2.8, and was fixed in version 1.2.9 (WPScan).

The vulnerability exists because the plugin does not properly sanitize and escape a parameter before outputting it back in the page. The vulnerability can be exploited through the custom-popup parameter, which needs to be the ID of an existing popup. The CVSS score for this vulnerability is 6.1 (Medium), and it is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (WPScan).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the affected pages. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (WPScan).

The vulnerability has been fixed in version 1.2.9 of the WP Popup Builder plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).