Popup Builder – Create highly converting, mobile friendly marketing popups. < 4.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-9856 | Plugin Vulnerabilities

Description

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 4.4.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Naoya Takahashi (nakko)

Verified

No

WPVDB ID

e01864a5-f774-4812-a429-325aa58f215b

Timeline

Publicly Published

2025-12-12 (about 5 months ago)

Added

2025-12-12 (about 5 months ago)

Last Updated

2025-12-13 (about 5 months ago)

Other

Published

Title

Published

2021-07-29

Title

Alojapro Widget < 1.1.16 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-03-25

Title

SEO Plugin by Squirrly SEO < 12.3.17 - Reflected Cross-Site Scripting

Published

2023-04-13

Title

Betheme < 26.8 - Reflected XSS

Published

2015-04-20

Title

WordPress SEO by Yoast < 2.1 - Cross-Site Scripting (XSS)

Published

2024-06-19

Title

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_title]