CVE-2023-6000: 
WordPress vulnerability analysis and mitigation

The Popup Builder WordPress plugin before version 4.2.3 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-6000. The vulnerability was discovered on November 7, 2023, and was fixed with the release of version 4.2.3 on December 7, 2023. The issue affects all versions of the Popup Builder plugin prior to 4.2.3 (WPScan Blog).

The vulnerability stems from the plugin's failure to implement proper authorization checks, allowing unauthenticated visitors to update existing popups and inject raw JavaScript code. The issue received a CVSS v3.1 base score of 6.1 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When successfully exploited, this vulnerability allows attackers to perform any action that a logged-in administrator is permitted to do on the targeted site, including installing arbitrary plugins and creating new administrator users. The attack can be executed without requiring any authentication on the target site (WPScan Blog).

The vulnerability has been patched in Popup Builder version 4.2.3. Site administrators are strongly advised to update to this version or later to protect against this security issue. No alternative workarounds have been published (WPScan Blog).