CVE-2024-30184: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Popup Builder WordPress plugin, tracked as CVE-2024-30184. The vulnerability affects versions up to 4.2.6 and is related to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's sgpopup shortcode (WPSCAN, [PATCHSTACK](https://patchstack.com/database/vulnerability/popup-builder/wordpress-popup-builder-plugin-4-2-6-cross-site-scripting-xss-vulnerability?s_id=cve)).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The issue specifically involves the plugin's sgpopup shortcode, where insufficient input sanitization and output escaping of user-supplied attributes creates an XSS vulnerability ([PATCHSTACK](https://patchstack.com/database/vulnerability/popup-builder/wordpress-popup-builder-plugin-4-2-6-cross-site-scripting-xss-vulnerability?s_id=cve)).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to the injection of malicious redirects, advertisements, and other HTML payloads that execute when visitors access the site (WPSCAN, PATCHSTACK).

The vulnerability has been patched in version 4.2.7 of the Popup Builder plugin. Users are advised to update to this version or later to remediate the security issue (PATCHSTACK).