Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup jet-popup allows Stored XSS.This issue affects JetPopup: from n/a through <= 2.0.15.1.
Published: 2025-07-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that are stored and executed whenever the content is viewed. If exploited, a stored XSS could lead to defacement, theft of cookies, session hijacking, or execution of arbitrary actions in the context of the logged‑in user, as described by CWE‑79.

Affected Systems

The Crocoblock JetPopup plugin for WordPress, versions from the initial release through 2.0.15.1, is affected. Any WordPress site that has this plugin installed and not upgraded beyond 2.0.15.1 is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require the attacker to supply malicious input via the plugin’s content fields or admin interface, after which the script runs automatically for any user who views the affected content.

Generated by OpenCVE AI on April 30, 2026 at 09:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetPopup to the latest patched version that includes input sanitization.
  • If an immediate upgrade is not feasible, temporarily disable or remove the JetPopup plugin from the site to block the attack surface.
  • Ensure that any data entered into JetPopup is stripped of script tags by enabling the plugin’s content filtering settings or by manually sanitizing the input before rendering.

Generated by OpenCVE AI on April 30, 2026 at 09:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21685 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup allows Stored XSS. This issue affects JetPopup: from n/a through 2.0.15.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup allows Stored XSS. This issue affects JetPopup: from n/a through 2.0.15.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup jet-popup allows Stored XSS.This issue affects JetPopup: from n/a through <= 2.0.15.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

Wed, 16 Jul 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup allows Stored XSS. This issue affects JetPopup: from n/a through 2.0.15.1.
Title WordPress JetPopup plugin <= 2.0.15.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:03:53.508Z

Reserved: 2025-07-16T08:51:16.734Z

Link: CVE-2025-53995

cve-icon Vulnrichment

Updated: 2025-07-16T19:50:31.635Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T11:15:27.450

Modified: 2026-04-23T15:32:40.453

Link: CVE-2025-53995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:45:25Z

Weaknesses