CVE-2024-9599: 
WordPress vulnerability analysis and mitigation

The Popup Box WordPress plugin before version 4.7.8 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-9599. The vulnerability was discovered and publicly disclosed on October 7, 2024, affecting the plugin's settings functionality in WordPress installations (MITRE CVE, WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin, particularly affecting the plugin's settings functionality. This security flaw persists even when the unfiltered_html capability is disallowed, which is especially relevant in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD, Wiz).

When exploited, this vulnerability enables high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. The impact is particularly concerning in multisite WordPress installations where unfiltered_html capability restrictions are typically enforced for security purposes (WPScan).

The vulnerability has been patched in version 4.7.8 of the Popup Box plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).