CVE-2025-66111

Vulnerability

Analysis

The Nelio Popups plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to and including 1.3.0. The root cause is improper neutralization of user-supplied input during web page generation, which allows malicious script content to be stored and later executed in the context of other users' browsers [1].

Exploitation

Conditions

Exploitation requires an attacker to have at least contributor-level access to the WordPress site. The attacker can inject arbitrary JavaScript or HTML into popup content through the plugin's input fields. User interaction is required for successful exploitation — specifically, a victim (such as a site visitor or administrator) must view a page containing the crafted popup, causing the injected script to execute [1].

Impact

A successful attack could allow the attacker to perform actions such as redirecting visitors to malicious sites, displaying deceptive advertisements, stealing cookies, or defacing the website by injecting arbitrary HTML payloads. These attacks could be used in broader campaigns targeting thousands of WordPress sites [1].

Mitigation

The vulnerability is fixed in version 1.3.1 of the plugin. The vendor recommends updating immediately. For users unable to update, consulting the hosting provider for alternative mitigations is advised. The CVSS v3 score for this issue is 6.5 (Medium), and while the official advisory notes a low severity, proactive patching is recommended to prevent exploitation [1].