Description
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting (XSS)
Action: Immediate patch
AI Analysis

Impact

The plugin contains a stored cross‑site scripting flaw that allows an authenticated contributor or higher to inject arbitrary JavaScript via the 'sg_popup' shortcode. Because the plugin fails to properly sanitize and escape user supplied attributes, the malicious script is persisted in the database and executed whenever any visitor renders the compromised popup. This can lead to defacement, credential theft, and further compromise of site integrity.

Affected Systems

Any WordPress installation running the Popup Builder – Create highly converting, mobile friendly marketing popups. plugin version 4.4.1 or earlier is affected. The vulnerability exists in all releases through 4.4.1; upgrading beyond 4.4.1 removes the flaw.

Risk and Exploitability

The likely attack vector is an authenticated contributor or higher user in WordPress who can edit popups. The attacker can inject malicious code into the sg_popup shortcode, which is then stored and executed for all site visitors. The CVSS score of 6.4 indicates moderate impact; the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, though the persistence of the flaw means that any site using an affected version remains vulnerable until the plugin is updated. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 20, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Popup Builder plugin to a version newer than 4.4.1 that addresses the cross‑site scripting vulnerability.
  • Limit contributor or lower user privileges on the WordPress site, or remove any unnecessary accounts that have the ability to edit popups.
  • Implement an additional layer of input validation or a web application firewall to block the injection of arbitrary scripts, and consider applying a Content Security Policy that disables inline scripts.

Generated by OpenCVE AI on April 20, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Popup Builder
Popup Builder popup Builder
Wordpress
Wordpress wordpress
Vendors & Products Popup Builder
Popup Builder popup Builder
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Popup Builder – Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Popup Builder Popup Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:17.730Z

Reserved: 2025-09-02T15:30:05.856Z

Link: CVE-2025-9856

cve-icon Vulnrichment

Updated: 2025-12-15T15:42:45.920Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:57.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses