CVE-2025-25118

Vulnerability

Overview

A reflected Cross-Site Scripting (XSS) vulnerability exists in the WordPress plugin Top Bar – PopUps – by WPOptin (wpoptin) versions up to and including 2.0.8. The plugin fails to properly neutralize user-supplied input during web page generation, allowing an attacker to inject malicious scripts into a page that is then reflected back to the user [1].

Attack

Vector and Prerequisites

This reflected XSS vulnerability can be initiated by any unauthenticated visitor. However, successful exploitation requires user interaction — the target must click a crafted link, visit a specially prepared page, or submit a malicious form [1]. No high-level privileges are needed to trigger the attack, only the victim's interaction with the attacker-controlled input.

Impact and

Potential Harm

An attacker exploiting this flaw can inject arbitrary HTML and JavaScript payloads into the affected WordPress site. When a victim visits the manipulated page, the injected script executes in their browser. This could lead to redirects to malicious sites, display of unwanted advertisements, theft of session cookies, or other harmful actions within the context of the victim's session [1].

Mitigation and

Recommendations

The vulnerability is marked as moderately dangerous and is expected to be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously. The immediate recommended action is to update the plugin to a patched version (beyond 2.0.8). If an official patch is not yet available, a mitigation rule can be applied via Patchstack to block attacks until a safe update can be deployed [1]. Users who cannot update immediately should consult their hosting provider or web developer for alternative mitigations [1].