Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Popup Maker popup-maker allows Stored XSS.This issue affects Popup Maker: from n/a through <= 1.20.2.
Published: 2025-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation in the Popup Maker plugin leads to a stored cross‑site scripting flaw. Malicious script code can be embedded into plugin data and later executed whenever the affected page is rendered, potentially giving an attacker the ability to steal visitor credentials, deface content, inject further malware, or hijack user sessions. The vulnerability persists until the stored data is removed or the plugin is updated.

Affected Systems

The flaw is present in Daniel Iser’s Popup Maker WordPress plugin versions up through 1.20.2. Any WordPress site running a version this old or older of the plugin, or that has not yet applied the official update, is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% shows a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would probably need to inject the malicious input via the plugin’s administrative interface, which is only accessible to users with sufficient WordPress permissions, making the required access level high. Once the script is stored, it runs in the context of any site visitor, potentially exposing them to the consequences mentioned above.

Generated by OpenCVE AI on May 1, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Popup Maker to the latest version (≥ 1.20.3) to remove the XSS vulnerability.
  • If the plugin cannot be updated, permanently deactivate or uninstall it to prevent exploitation.
  • Audit all plugin content and WordPress posts for unexpected JavaScript or obfuscated code that may have been injected through the vulnerable interface and remove any findings.

Generated by OpenCVE AI on May 1, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3935 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Popup Maker Popup Maker allows Stored XSS. This issue affects Popup Maker: from n/a through 1.20.2.
History

Fri, 24 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Popup Maker Popup Maker allows Stored XSS. This issue affects Popup Maker: from n/a through 1.20.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Popup Maker popup-maker allows Stored XSS.This issue affects Popup Maker: from n/a through <= 1.20.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 28 Mar 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-atlantic
Code-atlantic popup Maker
CPEs cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*
Vendors & Products Code-atlantic
Code-atlantic popup Maker

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Popup Maker Popup Maker allows Stored XSS. This issue affects Popup Maker: from n/a through 1.20.2.
Title WordPress Popup Maker plugin <= 1.20.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Code-atlantic Popup Maker
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:33.900Z

Reserved: 2025-01-23T14:53:00.531Z

Link: CVE-2025-24746

cve-icon Vulnrichment

Updated: 2025-02-12T19:54:20.967Z

cve-icon NVD

Status : Modified

Published: 2025-01-24T18:15:48.437

Modified: 2026-04-23T15:25:25.727

Link: CVE-2025-24746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:30:05Z

Weaknesses