Description
The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows authenticated users with Author-level access to inject and execute arbitrary scripts on pages using the vulnerable block
Action: Update Plugin
AI Analysis

Impact

The ConvertForce Popup Builder plugin for WordPress contains a Stored Cross‑Site Scripting flaw in the entrance_animation attribute of its Gutenberg block. Because user input is neither validated nor escaped, an attacker who is logged in with Author or higher privileges can inject malicious scripts that run when any visitor loads a page containing the block. This flaw is listed as CWE‑79 and enables the attacker to compromise the confidentiality, integrity, or availability of the user’s browser session and can result in credential theft, defacement, or further compromise of the site.

Affected Systems

WordPress sites that have installed the ConvertForce Popup Builder plugin in any version up to and including 0.0.7 are affected. Version numbers are specified by the plugin’s developers as 0.0.0 through 0.0.7; no later versions of the plugin are known to contain this vulnerability.

Risk and Exploitability

The vulnerability scores a CVSS of 6.4, indicating a medium severity. The EPSS score is below 1 %, suggesting a low likelihood that attackers are actively exploiting the flaw. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated as an Author or higher and to embed malicious content within the block, which will then be rendered and executed by unsuspecting visitors. Because the attack vector is restricted to authenticated users performing content editing, the risk is limited to sites with many active authors, but any successful exploitation could affect all site visitors.

Generated by OpenCVE AI on April 20, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of ConvertForce Popup Builder (0.0.8 or newer) to remove the vulnerable entrance_animation attribute.
  • If an upgrade is not possible, remove the block or delete the plugin entirely from the site, or manually ensure that the entrance_animation attribute is sanitized to only allow safe values.
  • Implement a Content Security Policy that disallows inline scripts or restricts JavaScript sources, reducing the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 20, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Imtiazrayhan
Imtiazrayhan convertforce Popup Builder
Wordpress
Wordpress wordpress
Vendors & Products Imtiazrayhan
Imtiazrayhan convertforce Popup Builder
Wordpress
Wordpress wordpress

Mon, 12 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Description The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ConvertForce Popup Builder <= 0.0.7 - Stored Cross-Site Scripting via entrance_animation
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Imtiazrayhan Convertforce Popup Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:54.051Z

Reserved: 2025-12-11T00:01:18.282Z

Link: CVE-2025-14506

cve-icon Vulnrichment

Updated: 2026-01-12T13:10:18.175Z

cve-icon NVD

Status : Deferred

Published: 2026-01-10T12:15:48.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses