The vulnerability arises from improper neutralization of input in the Ninja Popups WordPress plugin, enabling attackers to inject arbitrary script into stored content. This stored XSS can execute in the browsers of any visitor to pages displaying the popup, potentially defacing the site, stealing session cookies, or redirecting users to malicious domains. The weakness is a lack of output encoding for user controlled data. The impact is a compromise of confidentiality and integrity for site users, with possible defacement or phishing platforms.

Affected systems include the WordPress plugin Ninja Popups, version 4.7.8 and earlier, supplied by arscode. No specific sub-version list is provided; all released builds up to and including 4.7.8 are vulnerable. The plugin is commonly installed on WordPress sites that facilitate pop‑up content for marketing or notifications.

The CVSS score of 6.5 highlights moderate severity, and the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to inject malicious content via the plugin's entry point, and based on the description, it is inferred that this likely requires privileges to create or edit popups, such as an administrator or a trusted user. Once stored, the script runs automatically for all site visitors, making rapid exploitation possible if a craft attack vector is discovered and used. Because the exploitation does not require remote code execution on the server, the threat is confined to the affected website’s clients but can have widespread impact on site reputation.