CVE-2023-6591: 
WordPress vulnerability analysis and mitigation

The Popup Box WordPress plugin before version 20.9.0 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-6591. The vulnerability was discovered and reported by John Jefferson Li, and publicly disclosed on January 22, 2024. The security flaw affects the plugin's settings functionality, specifically impacting installations where high-privilege users such as administrators are present (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating that it requires high privileges and user interaction to exploit (NVD).

The vulnerability allows high-privilege users such as administrators to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. This is particularly significant in environments where content filtering is relied upon as a security measure (WPScan).

The vulnerability has been patched in version 20.9.0 of the Popup Box WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).