The vulnerability is a reflected Cross‑Site Scripting (XSS) flaw that arises from improper input neutralization in Astoundify’s WP Modal Popup with Cookie Integration plugin. An attacker could inject arbitrary JavaScript via specially crafted URLs or form inputs that are then reflected back in the web page, allowing execution of code in the victim’s browser and potential session hijacking or page manipulation. This weakness is classified as CWE‑79 and can compromise confidentiality and integrity for users who interact with the vulnerable site.

Astoundify WP Modal Popup with Cookie Integration plugin instances running version 2.4 or earlier are affected. All installations that have not been updated beyond the 2.4 release are exposed; no other versions or products are listed as vulnerable.

The impact is moderate, reflected by a CVSS score of 5.9. The EPSS score is below 1%, indicating a relatively low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the victim clicking a malicious link or interacting with a vulnerable form that reflects unsanitized input. Successful exploitation would allow the attacker to run arbitrary code in the victim’s browser, potentially capturing session cookies or defacing the page. Given the moderate vulnerability score and low exploitation probability, the overall risk for sites that remain at or below version 2.4 is considered moderate rather than high.