CVE-2023-5809: 
WordPress vulnerability analysis and mitigation

The Popup box WordPress plugin before version 3.8.6 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-5809. The vulnerability was discovered and publicly disclosed on November 13, 2023. The affected software is the ays-popup-box WordPress plugin, which fails to properly sanitize and escape certain settings (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically a stored XSS vulnerability with a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper neutralization of input during web page generation (CWE-79). The vulnerability specifically affects the plugin's categories functionality, where certain settings are not properly sanitized and escaped (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite setups. This could potentially lead to the execution of arbitrary web scripts in the context of other users' browsers (WPScan).

The vulnerability has been fixed in version 3.8.6 of the Popup box WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).