Impact
Improper neutralization of input during page generation results in a stored Cross‑Site Scripting flaw consistent with CWE-79. Malicious JavaScript can be injected into the popup content created by the plugin and later rendered when the popup is displayed to visitors, allowing the attacker to execute code in users’ browsers.
Affected Systems
The issue affects the WordPress plugin Popup addon for Ninja Forms, distributed by Aman, for all versions up through and including 3.5.1. Users running these versions on any WordPress site are susceptible unless the plugin is removed or updated.
Risk and Exploitability
The CVSS score of 5.9 indicates moderate severity. An EPSS score of less than 1% suggests a low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote via legitimate form submissions or other user‑controlled input within the plugin, resulting in stored malicious payloads that are rendered when the popup is displayed to other visitors.
OpenCVE Enrichment