Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Árpád Lehel Mátyus Terms Popup On User Login terms-popup-on-user-login allows Stored XSS.This issue affects Terms Popup On User Login: from n/a through <= 2.0.8.
Published: 2025-05-07
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the Terms Popup On User Login plugin, where unfiltered legal terms or conditions text is displayed in a popup. Based on the description, it is inferred that an attacker could inject arbitrary client‑side code via the plugin's administrative input; the code would execute in browsers of any user who sees the popup, potentially compromising the confidentiality and integrity of user interactions on the site.

Affected Systems

WordPress installations that have the Term Popup On User Login plugin installed version 2.0.8 or earlier are impacted. No specific WordPress core version is required; any site running the vulnerable plugin version is susceptible. Based on the description, it is inferred that the entry point for exploitation is the administrative input field used to define the legal text shown in the popup.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests that active exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers can exploit the flaw by injecting malicious script into the plugin’s input form; no elevated privileges or additional system compromise are required once the payload is stored. The CVE description does not explicitly state the attack vector; the inference is based on the nature of stored XSS in the plugin.

Generated by OpenCVE AI on May 2, 2026 at 08:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Terms Popup On User Login plugin to a version newer than 2.0.8, which removes the vulnerability.
  • If an upgrade is not yet possible, disable or delete the plugin to eliminate the attack surface.
  • Ensure that any stored content displayed by the site is properly sanitized or encoded, following CWE‑79 remediation guidelines, and monitor for future plugin updates.

Generated by OpenCVE AI on May 2, 2026 at 08:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13780 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lehel Mátyus Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL allows Stored XSS. This issue affects Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL: from n/a through 2.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lehel Mátyus Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL allows Stored XSS. This issue affects Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL: from n/a through 2.0.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Árpád Lehel Mátyus Terms Popup On User Login terms-popup-on-user-login allows Stored XSS.This issue affects Terms Popup On User Login: from n/a through <= 2.0.8.
Title WordPress Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL <= 2.0.3 - Cross Site Scripting (XSS) Vulnerability WordPress Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL plugin <= 2.0.8 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00036}

 epss

{'score': 0.00042}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lehel Mátyus Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL allows Stored XSS. This issue affects Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL: from n/a through 2.0.3.
Title WordPress Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL <= 2.0.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:46.543Z

Reserved: 2025-05-07T10:44:15.222Z

Link: CVE-2025-47592

cve-icon Vulnrichment

Updated: 2025-05-07T17:19:59.088Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:12.787

Modified: 2026-04-23T15:30:33.633

Link: CVE-2025-47592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')