{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14506", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-11T00:01:18.282Z", "datePublished": "2026-01-10T11:22:38.947Z", "dateUpdated": "2026-04-08T17:20:54.051Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:54.051Z"}, "affected": [{"vendor": "imtiazrayhan", "product": "ConvertForce Popup Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ConvertForce Popup Builder <= 0.0.7 - Stored Cross-Site Scripting via entrance_animation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c57b9a78-53f4-40bb-ae6a-c5242b41329f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L47"}, {"url": "https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L66"}, {"url": "https://plugins.trac.wordpress.org/changeset/3419678/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "timeline": [{"time": "2025-12-11T18:29:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-09T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T13:07:24.528871Z", "id": "CVE-2025-14506", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:10:20.692Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14506", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T13:07:24.528871Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:10:18.175Z"}}], "cna": {"title": "ConvertForce Popup Builder <= 0.0.7 - Stored Cross-Site Scripting via entrance_animation", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "imtiazrayhan", "product": "ConvertForce Popup Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T18:29:42.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c57b9a78-53f4-40bb-ae6a-c5242b41329f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L47"}, {"url": "https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L66"}, {"url": "https://plugins.trac.wordpress.org/changeset/3419678/"}], "descriptions": [{"lang": "en", "value": "The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:54.051Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14506", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:54.051Z", "dateReserved": "2025-12-11T00:01:18.282Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-10T11:22:38.947Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin ConvertForce Popup Builder para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del atributo 'entrance_animation' del bloque de Gutenberg en todas las versiones hasta la 0.0.7, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-14506", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-10T12:15:48.563", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L47"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L66"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3419678/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c57b9a78-53f4-40bb-ae6a-c5242b41329f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:09:14.410417+00:00", "value": {"mitigation_remediation": ["Install the latest version of ConvertForce Popup Builder (0.0.8 or newer) to remove the vulnerable entrance_animation attribute.", "If an upgrade is not possible, remove the block or delete the plugin entirely from the site, or manually ensure that the entrance_animation attribute is sanitized to only allow safe values.", "Implement a Content Security Policy that disallows inline scripts or restricts JavaScript sources, reducing the impact of any remaining XSS vectors."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting that allows authenticated users with Author-level access to inject and execute arbitrary scripts on pages using the vulnerable block"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the ConvertForce Popup Builder plugin in any version up to and including 0.0.7 are affected. Version numbers are specified by the plugin\u2019s developers as 0.0.0 through 0.0.7; no later versions of the plugin are known to contain this vulnerability.", "description_and_impact": "The ConvertForce Popup Builder plugin for WordPress contains a Stored Cross\u2011Site Scripting flaw in the entrance_animation attribute of its Gutenberg block. Because user input is neither validated nor escaped, an attacker who is logged in with Author or higher privileges can inject malicious scripts that run when any visitor loads a page containing the block. This flaw is listed as CWE\u201179 and enables the attacker to compromise the confidentiality, integrity, or availability of the user\u2019s browser session and can result in credential theft, defacement, or further compromise of the site.", "risk_and_exploitability": "The vulnerability scores a CVSS of 6.4, indicating a medium severity. The EPSS score is below 1\u202f%, suggesting a low likelihood that attackers are actively exploiting the flaw. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated as an Author or higher and to embed malicious content within the block, which will then be rendered and executed by unsuspecting visitors. Because the attack vector is restricted to authenticated users performing content editing, the risk is limited to sites with many active authors, but any successful exploitation could affect all site visitors."}}}}, "created": "2026-01-12T14:36:29.324454+00:00", "updated": "2026-04-20T21:15:20.630785+00:00", "vendors": ["imtiazrayhan", "imtiazrayhan$PRODUCT$convertforce_popup_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}