WordPress Plugin Vulnerabilities

Login/Signup Popup < 2.9.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description

The Login/Signup Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
easy-login-woocommerce
Fixed in 2.9.5

References

CVE
CVE-2025-50027
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d267a3d8-2fe3-48b2-95a1-49d3baa67694

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Nabil Irawan
Verified
No
WPVDB ID
a80c26ac-48f9-4712-95dc-1888cacfd245

Timeline

Publicly Published
2025-06-19 (about 1 year ago)
Added
2025-06-25 (about 1 year ago)
Last Updated
2025-07-10 (about 11 months ago)

Other

Published
Title
Published
2026-03-23
Title
WP TripAdvisor Review Slider < 14.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2025-01-16
Title
Flexible Blogtitle <= 0.1 - Reflected Cross-Site Scripting
Published
2023-04-24
Title
Decon WP SMS <= 1.1 - Admin+ Stored Cross-Site Scripting
Published
2025-04-22
Title
Booster for WooCommerce < 7.2.6 - Reflected Cross-Site Scripting
Published
2021-07-01
Title
WP Google Map < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)