Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unauthenticated XSS requiring victim interaction; scope changes to browser/site context with low confidentiality, integrity, and availability impact via injected script.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in HollerBox <= 2.3.10.1 versions.
AnalysisAI
Unauthenticated reflected/stored cross-site scripting in the HollerBox WordPress plugin (versions 2.3.10.1 and earlier) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 due to the scope change (S:C) reflecting the WordPress site context being affected from injected content; no public exploit identified at time of analysis and no CISA KEV listing exists.
Technical ContextAI
HollerBox (also known as Holler Box) is a WordPress plugin by Groundhogg used to display popups, notification bars, and lead-capture widgets on WordPress sites; the affected CPE is cpe:2.3:a:groundhogg:hollerbox:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied data is rendered into HTML/JS contexts without proper output encoding or input sanitization, allowing script injection. Because the CVSS vector includes S:C (scope changed), the executed script runs in the trust context of the WordPress site, enabling cross-origin impact such as session theft or admin-session abuse if an authenticated administrator triggers the payload.
RemediationAI
Upgrade the HollerBox plugin to a version newer than 2.3.10.1 once the vendor publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/holler-box/vulnerability/wordpress-hollerbox-plugin-2-3-10-1-cross-site-scripting-xss-vulnerability should be consulted for the exact fixed version, as no specific patched version was supplied in this intelligence. As compensating controls until patched, deploy a WordPress WAF rule (e.g., Patchstack, Wordfence) that filters script tags and JavaScript event handlers on HollerBox endpoints, deactivate the HollerBox plugin if it is not in active use (eliminates the attack surface entirely but removes popup/notification functionality), and enforce a strict Content-Security-Policy header that disallows inline scripts (may break legitimate inline JS in themes/plugins and requires testing). Administrators should also avoid clicking unknown links to their own site while authenticated, since admin-session interaction is what makes XSS dangerous.
The Fast & Effective Popups & Lead-Generation for WordPress plugin before 2.1.4 concatenates user input into an SQL quer
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36859
GHSA-j36x-g5wc-m7vg