The WP Popup Window Maker plugin (wp-buy) for WordPress versions up to 2.0 contains a CSRF vulnerability that enables an attacker to inject stored XSS payloads. This occurs because the plugin does not adequately verify the origin of requests, allowing unauthorized commands to be executed with the privileges of an authenticated user. The vulnerability is publicly documented as CVE-2024-52421 with a CVSS 3.1 base score of 7.1, indicating high severity due to network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to stored XSS attacks, which may allow attackers to execute arbitrary scripts in the context of the affected site. This can result in data theft, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability of the system. The vulnerability affects all installations of WP Popup Window Maker up to version 2.0. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — no official fix or patch links are currently available. Users of WP Popup Window Maker should monitor the vendor's advisory channels for updates and apply any official patches once released. Until a fix is available, consider disabling or removing the plugin if feasible to reduce risk. Avoid interacting with suspicious links or sites that may attempt to exploit this vulnerability.