The vulnerability arises from the plugin's failure to properly neutralize user input when generating web pages. This leads to a stored cross‑site scripting flaw that allows an attacker to inject malicious scripts into contexts viewed by other users. An attacker who can write or modify plugin data could embed scripts that execute when legitimate visitors load the affected page, potentially enabling session hijack, credential theft, or defacement. The weakness corresponds to CWE‑79.

Astoundify WP Modal Popup with Cookie Integration plugin, versions up to and including 2.4. All releases from the earliest available version through 2.4 are vulnerable until the plugin is updated beyond that point.

The CVSS score of 5.9 indicates a medium severity vulnerability, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, implying no known active exploitation. The attack vector is inferred to require an attacker to submit or alter content through the plugin’s interface, indicating that users with write permissions to plugin data are the primary risk group. Although the probability of exploitation is relatively low, the impact of successful injection could compromise user sessions and site integrity, warranting prompt remediation.