Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in coffeestudios Pop Up popup-seo-optimized allows Stored XSS.This issue affects Pop Up: from n/a through <= 0.1.
Published: 2025-02-07
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of user input during web page generation, allowing attacker‑supplied content to be stored and later executed as script on a victim’s browser. If exploited, malicious JavaScript can run in the context of any user visiting a site that uses the vulnerable plugin, potentially defacing the site, stealing session cookies, or redirecting users. The weakness is a classic stored XSS flaw (CWE‑79).

Affected Systems

WordPress sites that have the Coffeestudios Pop Up plugin installed with a version number less than or equal to 0.1. This includes all releases from the initial release through version 0.1. No newer versions are mentioned in the data.

Risk and Exploitability

The CVSS score of 5.9 marks the vulnerability as medium severity, while the EPSS score of less than 1% indicates a very low probability of widespread exploitation at present. The issue is not listed in the CISA KEV catalog, meaning no known active exploitation at the time of this analysis. The likely attack vector is a stored XSS attack, where an attacker injects malicious script into the plugin’s input fields, which is then rendered unescaped on subsequent page loads for all visitors.

Generated by OpenCVE AI on May 1, 2026 at 17:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pop Up plugin to a version newer than 0.1 or install the latest available release if one exists.
  • If upgrading is not immediately possible, disable or remove the plugin entirely from the WordPress installation.
  • Enable a web application firewall or content security policy that blocks or sanitizes unsanitized script input to mitigate potential XSS injection.

Generated by OpenCVE AI on May 1, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4035 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in coffeestudios Pop Up allows Stored XSS. This issue affects Pop Up: from n/a through 0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in coffeestudios Pop Up allows Stored XSS. This issue affects Pop Up: from n/a through 0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in coffeestudios Pop Up popup-seo-optimized allows Stored XSS.This issue affects Pop Up: from n/a through <= 0.1.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 07 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in coffeestudios Pop Up allows Stored XSS. This issue affects Pop Up: from n/a through 0.1.
Title WordPress Pop Up Plugin <= 0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.604Z

Reserved: 2025-02-03T13:34:30.657Z

Link: CVE-2025-25105

cve-icon Vulnrichment

Updated: 2025-02-07T14:53:34.839Z

cve-icon NVD

Status : Deferred

Published: 2025-02-07T10:15:16.217

Modified: 2026-06-17T09:00:18.263

Link: CVE-2025-25105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:15:21Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')