Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Top Bar - PopUps - by WPOptin allows Reflected XSS. This issue affects Top Bar - PopUps - by WPOptin: from n/a through 2.0.8.
AnalysisAI
Reflected cross-site scripting in WPOptin (WordPress plugin 'Top Bar - PopUps - by WPOptin') versions up to 2.0.8 allows remote attackers to inject malicious JavaScript through unsanitized input parameters. With CVSS 7.1 (AV:N/AC:L/PR:N/UI:R/S:C), successful exploitation requires user interaction but no authentication, enabling session hijacking, credential theft, or malicious actions in victim context. EPSS score of 0.09% (26th percentile) indicates low observed exploitation activity. Patchstack vulnerability database confirms this issue with no current evidence of active exploitation or public POC.
Technical ContextAI
This is a reflected cross-site scripting (CWE-79) vulnerability in the WPOptin WordPress plugin, marketed as 'Top Bar - PopUps - by WPOptin'. The flaw stems from improper neutralization of user-supplied input during web page generation, allowing unvalidated data to be echoed back to users within HTML context without adequate sanitization or output encoding. As a WordPress plugin vulnerability, it affects any WordPress installation running WPOptin versions up to and including 2.0.8. The reflected nature means malicious payloads are not stored server-side but must be delivered to victims through crafted URLs or form submissions. The Changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the plugin's security boundary, potentially compromising the WordPress admin session or other same-origin contexts.
Affected ProductsAI
WordPress plugin 'Top Bar - PopUps - by WPOptin' (also known as WPOptin) versions from initial release through version 2.0.8 inclusive are confirmed vulnerable. The plugin is distributed through the WordPress plugin repository under the slug 'wpoptin'. All WordPress installations running these plugin versions are affected regardless of WordPress core version. Patchstack vulnerability database entry provides authoritative confirmation at https://patchstack.com/database/wordpress/plugin/wpoptin/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-7?_s_id=cve (note: URL reference contains 'easy-wp-tiles' which appears to be database metadata; the affected plugin is confirmed as wpoptin).
RemediationAI
Update WPOptin plugin to version 2.0.9 or later if available through the WordPress plugin repository admin interface (Dashboard > Plugins > Updates). Verify the installed version under Plugins > Installed Plugins and confirm 'Top Bar - PopUps - by WPOptin' shows version greater than 2.0.8. If an official patched version is not yet released or visible in your WordPress installation, implement compensating controls: disable the WPOptin plugin entirely until patch deployment (Plugins > Installed Plugins > Deactivate under wpoptin entry), understanding this removes top bar and popup functionality from your site. For critical deployments where plugin functionality must remain active, restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules, and implement Content Security Policy headers to mitigate XSS impact (add 'Content-Security-Policy: default-src self; script-src self' to web server configuration), though this may break legitimate plugin JavaScript functionality requiring testing. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpoptin/ for vendor-specific remediation guidance and confirmed patch version details.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today