Description
The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows an attacker to inject arbitrary scripts into webpages seen by other users
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the WDES Responsive Popup WordPress plugin, where the 'wdes-popup-title' shortcode does not properly sanitize or escape user‑supplied attributes. Because of this, code injected into the title attribute can be stored in the database and later rendered on any page that displays the popup, enabling arbitrary script execution in the context of the site’s users. This is a classic input validation weakness classified as CWE‑79, and the impact is the potential compromise of confidentiality, integrity, and availability of affected users’ browsers.

Affected Systems

All installations of the WDES Responsive Popup plugin version 1.3.6 and earlier. The plugin is distributed by the master‑buldog vendor for WordPress. Sites that use the plugin with contributor‑level or higher privileges are vulnerable.

Risk and Exploitability

With a CVSS base score of 6.4 the vulnerability is moderately severe. The EPSS score is reported as < 1%, indicating a low‑to‑moderate probability of exploitation, and it is not listed in the CISA KEV catalog. The attack can be carried out by any authenticated user with contributor or higher access, who can edit the shortcode’s title attribute and insert malicious code. Once injected, the script executes for any visitor who views a page that includes the popup. The scope is limited to the site’s user base, but the impact on each user is significant.

Generated by OpenCVE AI on April 15, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WDES Responsive Popup plugin to the latest version that removes the unsafe shortcut handling.
  • If an update is not immediately available, remove or disable the plugin and any active shortcodes until the fix can be applied.
  • Restrict contributor and lower‑privilege roles from editing popup content, or limit the use of the 'wdes-popup-title' shortcode to administrators only.

Generated by OpenCVE AI on April 15, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Master-buldog
Master-buldog wdes Responsive Popup
Wordpress
Wordpress wordpress
Vendors & Products Master-buldog
Master-buldog wdes Responsive Popup
Wordpress
Wordpress wordpress

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Master-buldog Wdes Responsive Popup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:07.525Z

Reserved: 2026-02-03T13:47:01.171Z

Link: CVE-2026-1804

cve-icon Vulnrichment

Updated: 2026-02-11T15:37:11.980Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T09:15:51.863

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses