The Simple Popup Plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes in its [popup] shortcode, allowing authenticated users with contributor-level privileges or higher to inject malicious scripts. These scripts execute in the context of any user who views the compromised page, potentially leading to session hijacking or other script-based attacks. The vulnerability affects all versions up to and including 4.5. The CVSS 3.1 score of 6.4 reflects network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and partial confidentiality and integrity impact without availability impact. No patch or official remediation has been documented yet.

An attacker with contributor-level access or higher can inject persistent malicious scripts into pages via the plugin's shortcode. These scripts execute in the browsers of users who visit the infected pages, potentially compromising user sessions or performing unauthorized actions within the affected site context. The impact is limited to confidentiality and integrity, with no direct availability impact. Since the vulnerability requires authenticated access, the risk is mitigated somewhat by access controls but remains significant in environments with multiple contributors.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider restricting contributor-level access to trusted users only and monitor for suspicious shortcode usage. Applying general WordPress security best practices may help reduce risk but will not fully mitigate this specific vulnerability.