CVE-2019-25744
Description
WordPress Popup Builder 3.49 has a persistent XSS vulnerability allowing authenticated users to inject scripts via the post_title parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Popup Builder 3.49 has a persistent XSS vulnerability allowing authenticated users to inject scripts via the post_title parameter.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in WordPress Popup Builder version 3.49 and earlier. The vulnerability allows authenticated attackers to inject malicious scripts by breaking out of option tags within the post_title parameter. This vulnerability is triggered when crafted POST requests are sent to the post.php endpoint [3].
Exploitation
An attacker with authenticated access to the WordPress site can exploit this vulnerability. The attacker needs to submit a crafted POST request to the post.php endpoint, including script payloads within the post_title field. These scripts will execute when the popup selections are displayed on pages or posts [3].
Impact
Successful exploitation of this vulnerability allows an attacker to inject and execute arbitrary JavaScript code in the context of other users' browsers. This can lead to session hijacking, defacement, or redirection to malicious websites, impacting the confidentiality and integrity of the application [3].
Mitigation
This vulnerability affects Popup Builder versions up to and including 3.49. Users are advised to update to a version that addresses this vulnerability. Information regarding specific fixed versions or release dates is not yet available in the provided references. There are no disclosed workarounds at this time [1, 2, 3].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize the post_title parameter when creating or updating popups, allowing for script injection."
Attack vector
An authenticated attacker can send a crafted POST request to the post.php endpoint. By injecting script payloads into the `post_title` parameter, the attacker can cause arbitrary JavaScript to execute in the context of other users when popup selections are displayed. This vulnerability allows for persistent cross-site scripting attacks [ref_id=1].
Affected code
The vulnerability is related to the handling of the `post_title` parameter within the plugin's functionality for creating or updating popups. The specific file or function is not detailed in the provided information, but the attack targets the `post.php` endpoint [ref_id=1].
What the fix does
The patch is not provided in the bundle. However, the vulnerability description indicates that the issue lies in the handling of the `post_title` parameter. A fix would likely involve sanitizing or escaping this input to prevent the injection of malicious scripts.
Preconditions
- authThe attacker must be authenticated to WordPress.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.