CVE-2025-9490

Vulnerability

Overview The Popup Maker plugin for WordPress, up to version 1.20.6, contains a Stored Cross-Site Scripting (XSS) vulnerability in the ‘title’ parameter. The root cause is insufficient input sanitization and output escaping, which allows authenticated attackers to inject arbitrary web scripts that are stored and executed when other users access the affected page [1].

Exploitation

Conditions Exploitation requires an authenticated user with at least Contributor-level access. The attacker can inject malicious JavaScript or HTML into the popup title field, which is then stored in the database and rendered without proper escaping. No additional privileges or special network access are needed beyond standard WordPress contributor permissions [1].

Impact

Successful exploitation enables the attacker to execute arbitrary scripts in the context of any user who views the injected page. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies or authentication tokens. The vulnerability affects all users of the plugin, including site administrators, if they visit the compromised page [1].

Mitigation

The vendor has not released a patched version at the time of publication. Users are advised to restrict Contributor-level access to trusted individuals, apply input validation plugins, or monitor for updates from the plugin developer. The plugin is widely used, with over 780,000 installations, increasing the potential attack surface [1].