An improper neutralization of input during web page generation in the Crocoblock JetPopup plugin allows a DOM‑based cross‑site scripting attack. When an attacker can supply custom data that is reflected by the plugin, malicious JavaScript can execute in the victim’s browser. The payload can read or modify page content, steal session cookies, or perform other client‑side attacks that compromise user confidentiality and integrity. The described vulnerability does not grant direct code execution on the server, but it enables attackers to hijack sessions or trick users into phishing interactions.

WordPress sites that have the Crocoblock JetPopup plugin installed with versions up to and including 2.0.15 are affected. This includes any installation that has not yet upgraded beyond that release. Users of the plugin should verify the exact version of JetPopup they are running.

The CVSS v3.1 score of 6.5 indicates a medium severity vulnerability. The EPSS score is reported as < 1%, suggesting a low likelihood of exploitation at the time of this analysis. The attack vector is inferred to be user‑initiated: an attacker can craft a URL or form entry that injects script and relies on a victim visiting the affected page. Because the flaw operates in the browser, it can apply to both authenticated and anonymous users, widening the attack surface. The vulnerability is not currently listed in CISA’s KEV catalog, but it remains publicly known and may be leveraged by automated scanners or targeted attackers.