CVE-2025-13900
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wppopupmagic | to 1.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WP Popup Magic WordPress plugin. It occurs via the 'name' parameter of the [wppum_end] shortcode in all versions up to 1.0.0. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user interactions. [1]
How can this vulnerability impact me? :
The impact of this vulnerability includes the ability for attackers with Contributor-level access to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware. Since the vulnerability allows script execution without user interaction, it can compromise site integrity and user trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of the WP Popup Magic plugin version 1.0.0 or earlier on your WordPress installation and checking for usage of the 'wppum_end' shortcode with the 'name' parameter that could contain malicious scripts. Since the vulnerability is a Stored Cross-Site Scripting (XSS) triggered by authenticated users with Contributor-level access or higher, monitoring for unusual or unauthorized shortcode content in posts or pages is key. Specific commands are not provided in the resources, but you can search your WordPress database for posts containing the shortcode '[wppum_end' with suspicious 'name' parameters. For example, using WP-CLI, you might run a command like: wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[wppum_end%name=%'" to find posts containing the shortcode. Additionally, monitoring HTTP requests and user activity logs for unexpected script injections or popup behavior may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restricting Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with such access to exploit. 2) Removing or disabling the WP Popup Magic plugin until a patched version is available. 3) Reviewing and sanitizing any existing content that uses the 'wppum_end' shortcode with the 'name' parameter to remove any injected scripts. 4) Applying any available updates or patches from the plugin developer once released. 5) Monitoring your site for suspicious popup behavior or script execution. Since the vulnerability arises from insufficient input sanitization and output escaping, avoiding use of the vulnerable shortcode or plugin version is critical until fixed. [1]