CVE-2025-63059

Vulnerability

Overview

The Ninja Popups plugin for WordPress (versions up to and including 4.7.8) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows attackers to inject arbitrary JavaScript or HTML into popup content, which is then stored and executed when other users view the affected pages.

Exploitation

Requirements

Exploitation requires a privileged user—such as an administrator—to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form [1]. The vulnerability can be initiated by an authenticated attacker with lower privileges, but successful execution depends on the target user's interaction. This pattern is commonly seen in mass-exploit campaigns targeting WordPress sites [1].

Impact

A successful attack enables the injection of malicious scripts that can redirect visitors to attacker-controlled sites, display unwanted advertisements, or steal sensitive data [1]. Because the payload is stored, every visitor to the compromised page is affected, amplifying the potential damage.

Mitigation

Users are strongly advised to update the Ninja Popups plugin to a patched version as soon as possible [1]. If updating is not immediately feasible, contacting a hosting provider or web developer for assistance is recommended. No workaround is currently available, and the vulnerability is actively being exploited in the wild [1].