Description
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's xoo_el_action shortcode in all versions up to, and including, 2.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The plugin contains a stored XSS vulnerability triggered by the xoo_el_action shortcode due to lack of proper input sanitization and output escaping. Authenticated users with contributor-level or higher privileges can inject arbitrary scripts that will execute in the browsers of all users who view the affected page. Such exploitation could lead to defacement, credential theft, or session hijacking, posing a medium severity risk to confidentiality and user experience.

Affected Systems

All installations of the WordPress plugin "Login & Register Customizer – Popup | Slider | Inline | WooCommerce" by xootix, versions up to and including 2.8.5. Systems running WordPress with WooCommerce that permit contributor or higher role accounts utilizing this plugin are susceptible; later releases are not known to be vulnerable.

Risk and Exploitability

The CVSS base score is 6.4 and the EPSS score is less than 1%, indicating a modest likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because it requires authenticated access, the attack surface is limited to users with contributor or higher roles, but once injected a malicious script will run for any visitor to the page. Overall, administrators should consider this a medium risk that warrants prompt remediation.

Generated by OpenCVE AI on April 20, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Login & Register Customizer plugin to a version newer than 2.8.5; if no such version is available, uninstall the plugin.
  • Remove or disable the xoo_el_action shortcode from any content and restrict its usage to trusted authors only.
  • Review and restrict contributor-level accounts, removing unused accounts or downgrading privileges where possible.
  • Implement a web application firewall rule that blocks script injection in shortcode attributes.

Generated by OpenCVE AI on April 20, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4623 The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's xoo_el_action shortcode in all versions up to, and including, 2.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 25 Feb 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Xootix
Xootix login\/signup Popup
CPEs cpe:2.3:a:xootix:login\/signup_popup:*:*:*:*:*:wordpress:*:*
Vendors & Products Xootix
Xootix login\/signup Popup

Thu, 20 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 20 Feb 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's xoo_el_action shortcode in all versions up to, and including, 2.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Login/Signup Popup ( Inline Form + Woocommerce ) <= 2.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via xoo_el_action Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Xootix Login\/signup Popup
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:00.626Z

Reserved: 2025-02-05T18:05:32.533Z

Link: CVE-2025-1064

cve-icon Vulnrichment

Updated: 2025-02-20T16:11:05.511Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-20T09:15:09.903

Modified: 2025-02-25T20:41:01.500

Link: CVE-2025-1064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses