CVE-2022-4362: 
WordPress vulnerability analysis and mitigation

The Popup Maker WordPress plugin before version 1.16.9 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4362. The vulnerability was discovered by Tin Pham (TF1T) and publicly disclosed on September 23, 2022. This security issue affects the plugin's shortcode functionality, specifically impacting WordPress installations running Popup Maker versions prior to 1.16.9 (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes in the plugin. It has been assigned a CVSS v3.1 base score of 5.4 (Medium), with attack vector being Network, attack complexity Low, and requiring low privileges and user interaction. The vulnerability has been classified as CWE-79: Cross-Site Scripting (AttackerKB, WPScan).

When exploited, this vulnerability allows users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. The impact affects both the preview functionality of popups and frontend pages once the popup is published, potentially compromising the integrity and confidentiality of the website (WPScan).

The vulnerability has been patched in version 1.16.9 of the Popup Maker plugin. Website administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).