CVE-2023-3226: 
WordPress vulnerability analysis and mitigation

The Popup Builder WordPress plugin before version 4.2.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability stems from improper sanitization and escaping of settings, which affects high-privilege users such as administrators, particularly in multisite setups where the unfiltered_html capability is disabled. The issue was initially reported to the vendor on June 14, 2023, and was publicly disclosed on August 28, 2023 (WPScan Advisory).

The vulnerability has been assigned CVE-2023-3226 and is classified as CWE-79 (Cross-Site Scripting). It received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue specifically affects the plugin's settings functionality, particularly in the Floating Button feature of image popups (NVD Database).

When exploited, this vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks. The impact is particularly significant in multisite WordPress installations where the unfiltered_html capability is typically disabled as a security measure (WPScan Advisory).

The vulnerability has been patched in Popup Builder version 4.2.0. Users are advised to update to this version or later to mitigate the security risk (WPScan Advisory).