CVE-2024-35655: 
NixOS vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Brave Popup Builder WordPress plugin, affecting versions up to 0.6.9. The vulnerability was identified on June 3, 2024, and assigned CVE-2024-35655. The plugin, which is used for creating popups and lead generation forms in WordPress, fails to properly sanitize and escape certain settings (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It received a CVSS v3.1 base score of 4.8 (Medium) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 5.9 (Medium). The issue specifically affects the plugin's settings functionality, where certain input fields are not properly sanitized or escaped (NVD).

The vulnerability could allow high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). This could potentially lead to the injection of malicious scripts, including redirects, advertisements, and other HTML payloads that would be executed when visitors access the affected site (Patchstack).

The vulnerability has been patched in version 0.7.0 of the Brave Popup Builder plugin. Site administrators are strongly advised to update to this version or later to resolve the security issue (WPScan).