CVE-2022-47598: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in WP Plugins Pro WP Super Popup plugin versions 1.1.2 and below. The vulnerability was discovered by researcher Mika and assigned CVE-2022-47598. The issue was reported on December 20, 2022, and publicly disclosed on January 13, 2023 (Patchstack Advisory).

The vulnerability is classified as an Authenticated Stored Cross-Site Scripting (XSS) issue requiring administrator-level access. It received a CVSS v3.1 base score of 4.8 (Medium) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it at 5.9 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database).

The vulnerability could allow a malicious actor with administrator access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack Advisory).

As of the latest reports, no official fix has been made available for this vulnerability. The issue affects versions 1.1.2 and below of the WP Super Popup plugin (Patchstack Advisory).

Patchstack issued an early warning to their customers on January 13, 2023, followed by a public disclosure on January 15, 2023 (Patchstack Advisory).