CVE-2022-4381: 
WordPress vulnerability analysis and mitigation

The Popup Maker WordPress plugin before version 1.16.9 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-4381. The vulnerability was discovered by An Doan and publicly disclosed on September 23, 2022. This security issue affects the plugin's shortcode functionality, specifically impacting WordPress installations running Popup Maker versions prior to 1.16.9 (WPScan Advisory).

The vulnerability stems from improper validation and escaping of shortcode attributes in the plugin's subscription form functionality. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Cross-Site Scripting (NVD).

When exploited, this vulnerability allows users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. The successful exploitation could lead to the execution of malicious JavaScript code in users' browsers when they view or interact with affected pages (WPScan Advisory).

The vulnerability has been patched in version 1.16.9 of the Popup Maker plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan Advisory).