{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12122", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T18:18:00.897Z", "datePublished": "2026-02-18T05:29:18.098Z", "dateUpdated": "2026-04-08T17:13:46.042Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:46.042Z"}, "affected": [{"vendor": "wpcalc", "product": "Popup Box \u2013 Easily Create WordPress Popups", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popup Box \u2013 Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Popup Box \u2013 Easily Create WordPress Popups <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7eeb557-0528-422a-aae7-3f99154953df?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3410472%40popup-box&new=3410472%40popup-box&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "cweId": "CWE-78", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2026-02-17T16:37:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:13.139669Z", "id": "CVE-2025-12122", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:52:54.621Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12122", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:13.139669Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:14.006Z"}}], "cna": {"title": "Popup Box \u2013 Easily Create WordPress Popups <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpcalc", "product": "Popup Box \u2013 Easily Create WordPress Popups", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-17T16:37:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7eeb557-0528-422a-aae7-3f99154953df?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3410472%40popup-box&new=3410472%40popup-box&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Popup Box \u2013 Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:46.042Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12122", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:46.042Z", "dateReserved": "2025-10-23T18:18:00.897Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T05:29:18.098Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup Box \u2013 Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Popup Box \u2013 Easily Create WordPress Popups para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'iframeBox' del plugin en todas las versiones hasta la 3.2.12, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-12122", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T06:16:33.027", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3410472%40popup-box&new=3410472%40popup-box&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7eeb557-0528-422a-aae7-3f99154953df?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Popup Box \u2013 Easily Create WordPress Popups", "source": "cna", "vendor": "wpcalc"}, "product": "popup_box_\u2013_easily_create_wordpress_popups", "vendor": "wpcalc"}], "analysis": {"en": {"generated_at": "2026-04-21T00:14:36.800191+00:00", "value": {"mitigation_remediation": ["Upgrade the Popup Box plugin to version 3.2.13 or later to remove the stored cross\u2011site scripting flaw.", "If an upgrade cannot be performed immediately, deactivate the plugin to eliminate the attacker\u2019s upload path.", "Audit existing content (posts, pages, widgets) for the iframeBox shortcode and strip or sanitize any suspicious instances.", "Restrict contributor capabilities to prevent the creation of malicious shortcodes, or promote users to lower roles when full editing access is not required.", "Implement a content filtering plugin or custom sanitization for shortcode attributes to block future injection attempts."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Popup Box \u2013 Easily Create WordPress Popups plugin on WordPress sites where the plugin version is 3.2.12 or earlier are affected. The flaw exists in any configuration where contributors can create or edit content that includes the iframeBox shortcode.", "description_and_impact": "The Popup Box \u2013 Easily Create WordPress Popups plugin is vulnerable to stored cross\u2011site scripting through its iframeBox shortcode in all versions up to 3.2.12. Insufficient input sanitization and output escaping allow an attacker with contributor\u2011level or higher WordPress access to inject arbitrary JavaScript that will run whenever a site visitor views any page containing the malicious shortcode. This can lead to session hijacking, data theft, or defacement of the site. The weakness is a classic stored XSS flaw.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1\u202f% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw only after authenticating as a contributor or higher user, which is the inferred attack vector. Once an attacker injects malicious scripts via the shortcode, the stored payload is delivered to all site visitors, providing broad impact across the site's audience."}}}}, "created": "2026-02-18T10:32:45.696461+00:00", "updated": "2026-04-21T00:15:16.136275+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpcalc", "wpcalc$PRODUCT$popup_box_\u2013_easily_create_wordpress_popups"]}