Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget Popup smartarget-popup allows Stored XSS.This issue affects Smartarget Popup: from n/a through <= 1.5.
Published: 2025-04-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input that allows stored cross‑site scripting (XSS) in the Erez Hadas‑Sonnenschein Smartarget Popup plugin. It permits attackers to inject and persist malicious JavaScript in the plugin’s storage, which executes whenever the popup is rendered to a browser. No additional exploitation consequences are specifically described in the CVE documentation.

Affected Systems

The affected product is the WordPress Smartarget Popup plugin released by Erez Hadas‑Sonnenschein. Versions up to and including 1.5 are vulnerable.

Risk and Exploitability

The CVSS score of 5.9 classifies the vulnerability as medium‑to‑high severity, and the EPSS score of < 1 % indicates that it is unlikely to be exploited at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker can inject JavaScript into the plugin’s input fields because the data is stored without proper sanitization; when a visitor views the popup, the malicious script will run in their browser. Based on the description, it is inferred that the attacker must have access to the input mechanism and that other users will view the popup. This mitigates the risk to moderately low‑to‑medium, depending on the plugin’s exposure to visitors.

Generated by OpenCVE AI on May 2, 2026 at 02:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Smartarget Popup plugin to the latest available version that removes the unsanitized input handling.
  • If an immediate update is not possible, disable or limit the plugin’s user‑generated popup content via the plugin settings or by removing the offending configuration options.
  • If disabling the feature is not feasible, manually edit the front‑end output to escape user‑supplied content using WordPress’s esc_html or esc_attr helpers before rendering it in the popup.

Generated by OpenCVE AI on May 2, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9191 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget Popup allows Stored XSS. This issue affects Smartarget Popup: from n/a through 1.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget Popup allows Stored XSS. This issue affects Smartarget Popup: from n/a through 1.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget Popup smartarget-popup allows Stored XSS.This issue affects Smartarget Popup: from n/a through <= 1.5.
Title WordPress Smartarget Popup Plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability WordPress Smartarget Popup Plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget Popup allows Stored XSS. This issue affects Smartarget Popup: from n/a through 1.4.
Title WordPress Smartarget Popup Plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.320Z

Reserved: 2025-04-01T13:21:00.364Z

Link: CVE-2025-31853

cve-icon Vulnrichment

Updated: 2025-04-01T15:43:33.512Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:26.640

Modified: 2026-04-23T15:28:25.370

Link: CVE-2025-31853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:45:32Z

Weaknesses