CVE-2019-25744
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
WordPress Popup Builder version 3.49 contains a persistent cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter.
Risk Assessment
Attackers can exploit this vulnerability to execute malicious code, potentially leading to data theft or account takeover.
Recommendation
It is recommended to update the Popup Builder plugin to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.
Original NVD description (English source)
WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field that execute when pages or posts display popup selections.

