Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in telepathy Hello Bar Popup Builder hellobar allows DOM-Based XSS.This issue affects Hello Bar Popup Builder: from n/a through <= 1.5.1.
AnalysisAI
DOM-Based XSS in Hello Bar Popup Builder WordPress plugin versions up to 1.5.1 allows authenticated attackers with low privileges to inject arbitrary scripts that execute in users' browsers with the affected site's context. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS score of 0.03% (8th percentile) and CISA SSVC assessment of non-automatable exploitation with partial technical impact indicate this is a low real-world priority despite moderate CVSS score, though authenticated access and user interaction requirements limit immediate threat surface.
Technical ContextAI
Cross-site scripting (CWE-79) vulnerabilities in web applications arise from improper neutralization of user-supplied input during dynamic page generation. In this case, the Hello Bar Popup Builder plugin fails to sanitize or encode user input before inserting it into the Document Object Model (DOM), enabling attackers to inject malicious JavaScript. DOM-based XSS differs from stored or reflected variants by executing entirely on the client side without server-side reflection, though the initial payload injection point may originate from plugin settings or cached data that authenticated users can control. The affected product is identified by CPE cpe:2.3:a:telepathy:hello_bar_popup_builder, indicating the WordPress plugin distributed by Telepathy across all versions from initial release through 1.5.1.
RemediationAI
Update Hello Bar Popup Builder to a version released after 1.5.1; vendors typically increment to 1.5.2 or later to address identified DOM-XSS issues, though exact patched version numbers should be confirmed via the official Telepathy plugin repository or Patchstack advisory. Immediate patching is recommended for sites where authenticated administrators or editors could be targeted by malicious site visitors, though the requirement for both authentication and user interaction means this is not an emergency-level priority. Administrators should review plugin update history on the WordPress plugin directory and apply the latest available version of Hello Bar Popup Builder. Until patching is completed, ensure that only trusted administrators have access to Hello Bar configuration settings and monitor site activity for unusual script injection attempts via browser developer console or web application firewall logs. References: https://patchstack.com/database/Wordpress/Plugin/hellobar/vulnerability/wordpress-hello-bar-popup-builder-plugin-1-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve and https://nvd.nist.gov/vuln/detail/CVE-2026-39666.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20340
GHSA-qcfx-2rwj-377x