CVE Catalog

CVE-2019-25744

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile - higher than 9% of all known CVEs

Summary

WordPress Popup Builder version 3.49 contains a persistent cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter.

Risk Assessment

Attackers can exploit this vulnerability to execute malicious code, potentially leading to data theft or account takeover.

Recommendation

It is recommended to update the Popup Builder plugin to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.

Original NVD description (English source)

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field that execute when pages or posts display popup selections.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS