CVE-2025-53995

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup jet-popup allows Stored XSS.This issue affects JetPopup: from n/a through <= 2.0.15.1.

AnalysisAI

Stored XSS vulnerability in Crocoblock JetPopup WordPress plugin up to version 2.0.15.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of site visitors and administrators. The vulnerability exists in web page generation logic where user input is not properly sanitized before being rendered, enabling persistent script injection. Despite low EPSS score (0.04%), stored XSS in WordPress plugins poses significant risk due to broad exposure to site visitors and the potential for session hijacking, credential theft, or privilege escalation when executed in admin contexts.

Technical ContextAI

The vulnerability stems from improper input neutralization during web page generation, classified under CWE-79 (Cross-site Scripting). JetPopup is a WordPress plugin for creating popup elements and forms; it processes user-supplied input (likely from popup configuration, form fields, or modal content) without adequate HTML entity encoding or script filtering before inserting it into the DOM. Stored XSS vulnerabilities in WordPress plugins are particularly dangerous because malicious payloads are persisted in the database and automatically delivered to all site visitors, including high-privilege admin users, whenever the affected popup or form is rendered.

Affected ProductsAI

Crocoblock JetPopup WordPress plugin from version up to and including 2.0.15.1. The plugin is identified by CPE references to Wordpress/Plugin/jet-popup. All installations running version 2.0.15.1 or earlier are vulnerable. The exact version introducing the vulnerability is not specified in available data.

RemediationAI

Upgrade Crocoblock JetPopup to a patched version released after 2.0.15.1. Consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/jet-popup/vulnerability/wordpress-jetpopup-plugin-2-0-15-1-cross-site-scripting-xss-vulnerability for the minimum safe version and installation instructions. In the interim, restrict admin panel access to trusted administrators only, audit existing popup configurations for suspicious input, and monitor site traffic for signs of injected malicious scripts. If a patched version is not immediately available, disable the JetPopup plugin until a fix is released.

Share

CVE-2025-53995 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy