Description
The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Popup Box – Easily Create WordPress Popups plugin is vulnerable to stored cross‑site scripting through its iframeBox shortcode in all versions up to 3.2.12. Insufficient input sanitization and output escaping allow an attacker with contributor‑level or higher WordPress access to inject arbitrary JavaScript that will run whenever a site visitor views any page containing the malicious shortcode. This can lead to session hijacking, data theft, or defacement of the site. The weakness is a classic stored XSS flaw.

Affected Systems

All installations of the Popup Box – Easily Create WordPress Popups plugin on WordPress sites where the plugin version is 3.2.12 or earlier are affected. The flaw exists in any configuration where contributors can create or edit content that includes the iframeBox shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1 % suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw only after authenticating as a contributor or higher user, which is the inferred attack vector. Once an attacker injects malicious scripts via the shortcode, the stored payload is delivered to all site visitors, providing broad impact across the site's audience.

Generated by OpenCVE AI on April 21, 2026 at 00:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Popup Box plugin to version 3.2.13 or later to remove the stored cross‑site scripting flaw.
  • If an upgrade cannot be performed immediately, deactivate the plugin to eliminate the attacker’s upload path.
  • Audit existing content (posts, pages, widgets) for the iframeBox shortcode and strip or sanitize any suspicious instances.
  • Restrict contributor capabilities to prevent the creation of malicious shortcodes, or promote users to lower roles when full editing access is not required.
  • Implement a content filtering plugin or custom sanitization for shortcode attributes to block future injection attempts.

Generated by OpenCVE AI on April 21, 2026 at 00:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpcalc
Wpcalc popup Box – Easily Create Wordpress Popups
Vendors & Products Wordpress
Wordpress wordpress
Wpcalc
Wpcalc popup Box – Easily Create Wordpress Popups

Wed, 18 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Popup Box – Easily Create WordPress Popups <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpcalc Popup Box – Easily Create Wordpress Popups
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:46.042Z

Reserved: 2025-10-23T18:18:00.897Z

Link: CVE-2025-12122

cve-icon Vulnrichment

Updated: 2026-02-18T12:25:14.006Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T06:16:33.027

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses