CVE-2025-62095
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in neilgee Bootstrap Modals bootstrap-modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through <= 1.3.2.
Analysis
Stored cross-site scripting (XSS) vulnerability in Bootstrap Modals WordPress plugin versions up to 1.3.2 allows authenticated attackers to inject and execute arbitrary JavaScript code that persists in the database and executes for all site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling attackers with plugin-relevant permissions to compromise user sessions and steal sensitive data from administrators and site visitors.
Technical Context
The vulnerability is a classic stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Bootstrap Modals WordPress plugin, which provides modal dialog functionality. The root cause is the failure to properly sanitize and escape user-supplied input before storing it in the database and rendering it on web pages. When the plugin generates HTML for modal elements, it does not adequately neutralize malicious scripts embedded in input fields, allowing attackers to inject payloads that execute in the context of the vulnerable application. WordPress plugins typically process user input through forms or settings panels; if these inputs are stored without sanitization and later output without escaping, stored XSS occurs. The CPE for the affected software is identified as the Bootstrap Modals plugin for WordPress (wordpress-plugin-bootstrap-modals) affecting versions through 1.3.2.
Affected Products
Bootstrap Modals WordPress plugin from version n/a through version 1.3.2 inclusive is affected. The plugin, identified by CPE wordpress-plugin-bootstrap-modals, is used to add modal dialog functionality to WordPress sites. The vulnerability impacts all installations running version 1.3.2 or earlier.
Remediation
Site administrators must update Bootstrap Modals to a patched version greater than 1.3.2 as soon as possible. Check the WordPress plugin repository or the vendor's official advisory at https://patchstack.com/database/Wordpress/Plugin/bootstrap-modals/vulnerability/wordpress-bootstrap-modals-plugin-1-3-2-cross-site-scripting-xss-vulnerability for the latest available version. If a patched version is not yet available, consider temporarily disabling the plugin until an update is released. Site owners should audit any modal content created or modified by users with plugin administrative access for signs of malicious scripts and consider resetting stored modal data if compromise is suspected.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today