Cross-Site Scripting Vulnerability in Hello Bar Popup Builder by Telepathy
CVE-2026-39666

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Hello Bar Popup Builder
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-39666?

The Hello Bar Popup Builder by Telepathy contains a vulnerability that allows for improper neutralization of input during web page generation, resulting in a DOM-based Cross-Site Scripting (XSS) attack. This can enable attackers to inject malicious scripts into web pages viewed by users, potentially leading to the theft of sensitive information or session hijacking. Users are urged to update their Hello Bar Popup Builder to version 1.5.1 or later to mitigate this risk.

Affected Version(s)

Hello Bar Popup Builder 0 <= 1.5.1

References

https://patchstack.com/database/Wordpress/Plugin/hellobar...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Nabil Irawan | Patchstack Bug Bounty Program

CVE-2026-39666 Data

JSON