Improper neutralization of user input during web page generation in the Aman Popup addon for Ninja Forms allows a DOM‑based XSS flaw. An attacker can embed malicious JavaScript that will be executed in the browser context of any visitor who views a page containing the compromised popup. The resulting client‑side code execution can lead to credential theft, session hijacking, malicious redirection, or site defacement, thereby compromising confidentiality, integrity, and potentially availability of the affected site.

The vulnerability exists in the Aman Popup addon for Ninja Forms, affecting all installations from any initial version up to and including 3.4. Users running these versions should verify the installed version and update if possible.

The CVSS score of 6.5 classifies this issue as moderate severity. The EPSS score of less than 1% indicates a low current probability of exploitation, and the flaw is not listed in CISA KEV. The likely attack vector is client‑side, where a user interacts with a page that displays the popup; malicious script can be injected via form inputs or by curating a malicious playback from the popup’s content. Although the risk is moderate, exploitation requires only a single unauthorized payload embedded in the page that triggers the popup, making the vulnerability potentially widespread if a patch is not applied.