Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nks Email Subscription Popup email-subscribe allows Stored XSS.This issue affects Email Subscription Popup: from n/a through <= 1.2.26.
Published: 2025-10-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Nks Email Subscription Popup plugin includes an improper neutralization of user input during web page generation, which allows a stored cross‑site scripting (XSS) flaw. An attacker can embed malicious scripts into the plugin’s configuration or content that are later rendered by the website, potentially enabling session hijacking, cookie theft, or malicious content injection on the site.

Affected Systems

This vulnerability affects all versions of the Email Subscription Popup plugin up to and including 1.2.26. Site owners who have installed any of these versions are at risk. No specific version numbers beyond the upper bound are mentioned.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity flaw. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the nature of stored XSS, the attack vector is likely through the plugin’s subscription form or its administrative configuration interface, where an attacker can submit or modify content that is persisted and later displayed to site visitors.

Generated by OpenCVE AI on April 30, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Email Subscription Popup plugin to the latest available version that includes a fix for the XSS vulnerability.
  • If an immediate update is not possible, implement a sanitization routine that removes or encodes disallowed HTML tags and attributes before the plugin saves or displays user input.
  • If solution cannot be deployed quickly, disable or remove the plugin from the website until a patched version is available, or replace it with an alternative that is free from this vulnerability.

Generated by OpenCVE AI on April 30, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Nks
Nks email Subscription Popup
Wordpress
Wordpress wordpress
Vendors & Products Nks
Nks email Subscription Popup
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nks Email Subscription Popup email-subscribe allows Stored XSS.This issue affects Email Subscription Popup: from n/a through <= 1.2.26.
Title WordPress Email Subscription Popup plugin <= 1.2.26 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Nks Email Subscription Popup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:24:20.135Z

Reserved: 2025-06-11T16:06:50.724Z

Link: CVE-2025-49912

cve-icon Vulnrichment

Updated: 2025-10-23T14:08:24.917Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:37.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses