CVE-2024-9599 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Popup Box WordPress plugin versions prior to 4.7.8. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are stored persistently within the plugin's settings. Notably, this exploitation is possible even when the unfiltered_html capability is disabled, such as in multisite WordPress configurations, which typically restrict script injection. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 5.4 (medium), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the level of a user with some privileges (PR:L). User interaction is required (UI:R), and the scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. Since no known exploits are reported in the wild, the threat is currently theoretical but could be leveraged by attackers to execute malicious JavaScript in the context of the affected WordPress site, potentially leading to session hijacking, privilege escalation, or defacement.

For European organizations using WordPress sites with the vulnerable Popup Box plugin, this vulnerability poses a risk primarily to site integrity and confidentiality. Attackers with admin-level access could inject malicious scripts that execute in the browsers of other administrators or users with elevated privileges, potentially leading to credential theft, unauthorized actions, or further compromise of the site. In multisite environments common in larger organizations or managed service providers, the risk is exacerbated because the usual safeguard of disabling unfiltered_html is ineffective against this vulnerability. This could lead to widespread compromise across multiple sites within a network. Given the reliance on WordPress for many corporate websites, e-commerce platforms, and intranets in Europe, exploitation could result in reputational damage, data breaches, and regulatory non-compliance under GDPR if personal data is exposed or manipulated.

Organizations should immediately verify if the Popup Box plugin is installed and identify the version in use. If vulnerable versions prior to 4.7.8 are detected, an update to the latest patched version should be applied as soon as it becomes available. Until a patch is released, administrators should restrict plugin access strictly to trusted users and consider disabling or removing the plugin if feasible. Additionally, implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and use Web Application Firewalls (WAFs) with rules targeting XSS payloads. Regularly audit user privileges to ensure only necessary users have administrative rights. For multisite setups, extra caution is warranted; consider isolating sites or applying network-level protections. Monitoring logs for suspicious activity related to plugin settings changes can help detect attempted exploitation early.