CVE-2025-53994

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup jet-popup allows DOM-Based XSS.This issue affects JetPopup: from n/a through <= 2.0.15.

AnalysisAI

Improper input neutralization in Crocoblock JetPopup plugin (versions up to 2.0.15) allows DOM-based cross-site scripting (XSS) attacks. The vulnerability enables attackers to inject and execute malicious JavaScript in the context of a web browser when a user interacts with a popup, potentially leading to session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04%, 13th percentile) suggests minimal real-world exploitation likelihood despite the vulnerability being disclosed.

Technical ContextAI

This is a DOM-based XSS vulnerability (CWE-79) in the JetPopup WordPress plugin, which provides drag-and-drop popup builder functionality. DOM-based XSS occurs when untrusted user input is processed by client-side JavaScript and inserted directly into the DOM without proper sanitization or encoding. In this case, the plugin fails to neutralize malicious input during web page generation, allowing attackers to craft payloads that execute arbitrary JavaScript in users' browsers. The vulnerability affects the popup rendering mechanism, likely in how user-supplied data (such as popup content, configuration parameters, or URL fragments) is handled by the frontend code.

Affected ProductsAI

Crocoblock JetPopup WordPress plugin version 2.0.15 and all earlier versions are affected. The plugin is distributed via the WordPress plugin repository and can be identified by CPE references to WordPress plugins. Users running JetPopup up to and including version 2.0.15 are exposed to this vulnerability.

RemediationAI

Update Crocoblock JetPopup to a patched version released after 2.0.15. Consult the official Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/jet-popup/vulnerability/wordpress-jetpopup-plugin-2-0-15-cross-site-scripting-xss-vulnerability?_s_id=cve for the specific patched version number and download link. If a timely patch is not available, consider disabling the JetPopup plugin temporarily and using an alternative popup solution until an update is released. Additionally, implement content security policy (CSP) headers on the site to mitigate XSS impact by restricting inline script execution.

Share

CVE-2025-53994 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy