WordPress Plugin Vulnerabilities

WP Modal Popup with Cookie Integration < 2.5 - Admin+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
wp-modal-popup-with-cookie-integration
Fixed in 2.5

References

CVE
CVE-2025-31772
URL
https://patchstack.com/database/wordpress/plugin/wp-modal-popup-with-cookie-integration/vulnerability/wordpress-wp-modal-popup-with-cookie-integration-plugin-2-4-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Pham Van Tam
Verified
No
WPVDB ID
490cfacb-e062-40da-9fe2-21cb8e181724

Timeline

Publicly Published
2025-04-01 (about 11 months ago)
Added
2025-04-09 (about 11 months ago)
Last Updated
2025-07-17 (about 7 months ago)

Other

Published
Title
Published
2025-09-18
Title
JetEngine < 3.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-08-26
Title
PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Contributor+ Stored Cross-Site Scripting
Published
2025-09-22
Title
Colibri Page Builder < 1.0.334 - Authenticated (Shop manager+) Stored Cross-Site Scripting
Published
2023-11-13
Title
BSK Contact Form 7 Blacklist <= 1.0.1 - Reflected Cross-Site Scripting
Published
2025-01-06
Title
Unilevel MLM Plan < 2.0.0 - Reflected Cross-Site Scripting via 'page'