{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9856", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T15:30:05.856Z", "datePublished": "2025-12-13T08:21:15.324Z", "dateUpdated": "2026-04-08T17:19:17.730Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:17.730Z"}, "affected": [{"vendor": "popupbuilder", "product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/helpers/AdminHelper.php#L438"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/classes/popups/SGPopup.php#L1368"}, {"url": "https://plugins.trac.wordpress.org/changeset/3384281"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Naoya Takahashi"}], "timeline": [{"time": "2025-12-12T19:31:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:42:44.825778Z", "id": "CVE-2025-9856", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:46:08.201Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9856", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:42:44.825778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:42:45.920Z"}}], "cna": {"title": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Naoya Takahashi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "popupbuilder", "product": "Popup Builder \u2013 Create highly converting, mobile friendly marketing popups.", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T19:31:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/helpers/AdminHelper.php#L438"}, {"url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/classes/popups/SGPopup.php#L1368"}, {"url": "https://plugins.trac.wordpress.org/changeset/3384281"}], "descriptions": [{"lang": "en", "value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:17.730Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9856", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:17.730Z", "dateReserved": "2025-09-02T15:30:05.856Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T08:21:15.324Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9856", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:57.307", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/classes/popups/SGPopup.php#L1368"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/helpers/AdminHelper.php#L438"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3384281"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:54:39.241624+00:00", "value": {"mitigation_remediation": ["Upgrade the Popup Builder plugin to a version newer than 4.4.1 that addresses the cross\u2011site scripting vulnerability.", "Limit contributor or lower user privileges on the WordPress site, or remove any unnecessary accounts that have the ability to edit popups.", "Implement an additional layer of input validation or a web application firewall to block the injection of arbitrary scripts, and consider applying a Content Security Policy that disables inline scripts."], "summary": {"action": "Immediate patch", "impact": "Stored Cross-Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Any WordPress installation running the Popup Builder \u2013 Create highly converting, mobile friendly marketing popups. plugin version 4.4.1 or earlier is affected. The vulnerability exists in all releases through 4.4.1; upgrading beyond 4.4.1 removes the flaw.", "description_and_impact": "The plugin contains a stored cross\u2011site scripting flaw that allows an authenticated contributor or higher to inject arbitrary JavaScript via the 'sg_popup' shortcode. Because the plugin fails to properly sanitize and escape user supplied attributes, the malicious script is persisted in the database and executed whenever any visitor renders the compromised popup. This can lead to defacement, credential theft, and further compromise of site integrity.", "risk_and_exploitability": "The likely attack vector is an authenticated contributor or higher user in WordPress who can edit popups. The attacker can inject malicious code into the sg_popup shortcode, which is then stored and executed for all site visitors. The CVSS score of 6.4 indicates moderate impact; the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, though the persistence of the flaw means that any site using an affected version remains vulnerable until the plugin is updated. The vulnerability is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2025-12-14T21:14:33.025509+00:00", "updated": "2026-04-20T19:00:10.694440+00:00", "vendors": ["popup_builder", "popup_builder$PRODUCT$popup_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}