WordPress Popup Builder version 3.49 is vulnerable to a persistent cross‑site scripting flaw that can be exploited by users with authentication to the administrative interface of a WordPress site. The flaw enables the attacker to insert malicious JavaScript through the post_title field of popup records by breaking out of the <option> tags in the post.php endpoint. Once the payload is stored, it executes whenever a page displays the affected popup, allowing the attacker to steal credentials, deface content, or redirect visitors to malicious sites. The weakness is a typical reflected input validation error, identified as CWE‑79.

Any WordPress installation that has Popup Builder plugin 3.49 installed is affected. The vulnerability exists in the “Popup Builder” plugin by the vendor Popup‑Builder. The version number 3.49 is specifically cited; newer releases after 3.49 are assumed to contain the fix, but no version list is included in the advisory.

The CVSS score of 5.1 classifies the vulnerability as medium severity. No EPSS score is available, so the likelihood of exploitation in the wild cannot be quantified from this data. The flaw is not listed in the CISA KEV catalog, suggesting no confirmed large‑scale exploitation has been reported. The typical attack vector requires the attacker to be authenticated with sufficient privileges to edit popup settings, but does not require prior knowledge of site internals. Once authenticated, the attacker can send a crafted POST request to post.php with a malicious payload in the post_title field; because the data is stored and later rendered as part of an AJAX response when the popup is loaded, it provides a persistent attack surface.