Stored Cross-Site Scripting in Popup Builder Plugin for WordPress
CVE-2025-9856
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 13 December 2025
What is CVE-2025-9856?
The Popup Builder plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability via its 'sg_popup' shortcode across all versions up to 4.4.1. This flaw arises from inadequate sanitization of user input and failing to properly escape output. Consequently, authenticated attackers with contributor-level access can inject malicious scripts into pages. These scripts will execute whenever users visit the compromised page, potentially leading to unauthorized actions and data exposure.
Affected Version(s)
Popup Builder β Create highly converting, mobile friendly marketing popups. * <= 4.4.1