Skip to main content

Hello Bar Popup Builder CVE-2026-39666

| EUVDEUVD-2026-20340 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-qcfx-2rwj-377x
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20340
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in telepathy Hello Bar Popup Builder hellobar allows DOM-Based XSS.This issue affects Hello Bar Popup Builder: from n/a through <= 1.5.1.

AnalysisAI

DOM-Based XSS in Hello Bar Popup Builder WordPress plugin versions up to 1.5.1 allows authenticated attackers with low privileges to inject arbitrary scripts that execute in users' browsers with the affected site's context. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS score of 0.03% (8th percentile) and CISA SSVC assessment of non-automatable exploitation with partial technical impact indicate this is a low real-world priority despite moderate CVSS score, though authenticated access and user interaction requirements limit immediate threat surface.

Technical ContextAI

Cross-site scripting (CWE-79) vulnerabilities in web applications arise from improper neutralization of user-supplied input during dynamic page generation. In this case, the Hello Bar Popup Builder plugin fails to sanitize or encode user input before inserting it into the Document Object Model (DOM), enabling attackers to inject malicious JavaScript. DOM-based XSS differs from stored or reflected variants by executing entirely on the client side without server-side reflection, though the initial payload injection point may originate from plugin settings or cached data that authenticated users can control. The affected product is identified by CPE cpe:2.3:a:telepathy:hello_bar_popup_builder, indicating the WordPress plugin distributed by Telepathy across all versions from initial release through 1.5.1.

RemediationAI

Update Hello Bar Popup Builder to a version released after 1.5.1; vendors typically increment to 1.5.2 or later to address identified DOM-XSS issues, though exact patched version numbers should be confirmed via the official Telepathy plugin repository or Patchstack advisory. Immediate patching is recommended for sites where authenticated administrators or editors could be targeted by malicious site visitors, though the requirement for both authentication and user interaction means this is not an emergency-level priority. Administrators should review plugin update history on the WordPress plugin directory and apply the latest available version of Hello Bar Popup Builder. Until patching is completed, ensure that only trusted administrators have access to Hello Bar configuration settings and monitor site activity for unusual script injection attempts via browser developer console or web application firewall logs. References: https://patchstack.com/database/Wordpress/Plugin/hellobar/vulnerability/wordpress-hello-bar-popup-builder-plugin-1-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve and https://nvd.nist.gov/vuln/detail/CVE-2026-39666.

Share

CVE-2026-39666 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy