CVE-2024-5004: 
WordPress vulnerability analysis and mitigation

The CM Popup Plugin for WordPress before version 1.6.6 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on July 1, 2024, and was assigned CVE-2024-5004. The issue affects the campaign settings functionality within the plugin, specifically impacting installations running versions prior to 1.6.6 (WPScan).

The vulnerability stems from improper sanitization and escaping of campaign settings fields. The issue has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Multiple fields are vulnerable to XSS injection, including the Basic Visual > Width field in the campaign creation interface (WPScan, NVD).

The vulnerability allows high-privilege users such as contributors to perform Stored Cross-Site Scripting attacks. When successfully exploited, the attacker can inject malicious scripts that will be executed when other users view the affected campaign pages (WPScan).

The vulnerability has been fixed in version 1.6.6 of the CM Popup Plugin for WordPress. Users are advised to update to this version or later to mitigate the risk (WPScan).