CVE-2024-5561: 
WordPress vulnerability analysis and mitigation

The Popup Maker WordPress plugin before version 1.19.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability stems from improper sanitization and escaping of certain plugin settings, which affects high-privilege users such as administrators, particularly in multisite setups where the unfiltered_html capability is disallowed (NVD, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue specifically relates to insufficient input validation in the plugin's settings, allowing for the injection of malicious scripts that can be stored and executed later (NVD).

When exploited, this vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks. This is particularly significant in multisite WordPress installations where the unfiltered_html capability is typically restricted for security purposes. The impact is rated as having low confidentiality and integrity consequences (NVD).

The vulnerability has been patched in version 1.19.1 of the Popup Maker plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).