CVE-2023-5874: 
WordPress vulnerability analysis and mitigation

The Popup box WordPress plugin before version 3.8.6 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-5874. The vulnerability was discovered on November 13, 2023, and affects the plugin's settings functionality. The issue impacts installations where high-privilege users such as administrators operate in environments where the unfiltered_html capability is disallowed, such as in multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings in the plugin. It has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed. This is particularly concerning in multisite WordPress installations where such restrictions are commonly implemented (WPScan).

The vulnerability has been patched in version 3.8.6 of the Popup box WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).