CVE-2025-64264

Vulnerability

Overview The CVE-2025-64264 vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the Popup addon for Ninja Forms plugin for WordPress, affecting versions from n/a through 3.5.1. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation

Conditions Exploitation requires a user with at least Contributor-level privileges to perform an action — such as clicking a crafted link or visiting a specially prepared page. Once triggered, the injected script is stored on the server and executed in the browsers of other users who view the compromised content. This makes the attack persistent and scalable, as it does not require repeated social engineering for each visitor [1].

Impact

A successful attack allows an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, into the WordPress site. When visitors access the affected page, the injected code executes, potentially leading to data theft, session hijacking, or defacement [1].

Mitigation

The vulnerability has been addressed in version 3.5.2 of the plugin. Users are strongly advised to update immediately. For those unable to update, a temporary workaround includes disabling the plugin until a patch can be applied. The vendor notes that auto-update can be enabled for Patchstack users [1].