CVE-2022-28612: 
WordPress vulnerability analysis and mitigation

CVE-2022-28612 is an Improper Access Control vulnerability discovered in Muneeb's Custom Popup Builder WordPress plugin versions 1.3.1 and below. The vulnerability was disclosed on June 14, 2022, and involves multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities that can be exploited by users with contributor or higher user roles (Patchstack Advisory).

The vulnerability is classified with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-284 (Improper Access Control). It received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper authorization controls and insufficient sanitization and escaping of certain parameters (NVD Database).

The vulnerability allows authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. This could enable malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads that would execute when visitors access the affected website (WPScan).

No official fix has been released for this vulnerability. The plugin has been removed from the WordPress plugin repository due to security concerns. Users are advised to remove the plugin from their WordPress installations (Patchstack Advisory).