CVE-2025-14506
Stored XSS in ConvertForce Popup Builder Gutenberg Block
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| convertforce | popup_builder | to 0.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the ConvertForce Popup Builder WordPress plugin is a Stored Cross-Site Scripting (XSS) issue. It occurs via the Gutenberg block's `entrance_animation` attribute in versions up to and including 0.0.7. Due to insufficient input sanitization and output escaping, authenticated users with Author-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user security. [1]
How can this vulnerability impact me? :
This vulnerability allows attackers with Author-level access or higher to inject malicious scripts into pages. When other users visit these pages, the injected scripts execute in their browsers, which can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions. This compromises the security and integrity of the website and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying WordPress sites using the ConvertForce Popup Builder plugin version 0.0.7 or earlier. You can scan your WordPress installation plugins directory to check the plugin version. For example, use the command: `grep 'CONVERTFORCE_VERSION' wp-content/plugins/convertforce-popup-builder/convertforce-popup-builder.php` to find the plugin version. Additionally, monitoring HTTP requests for suspicious payloads in the Gutenberg block's `entrance_animation` attribute or unusual script injections in pages generated by the plugin may help detect exploitation attempts. However, no specific detection commands are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the ConvertForce Popup Builder plugin to version 0.0.8 or later, which includes security fixes that sanitize user input and prevent stored cross-site scripting via the `entrance_animation` attribute. If updating is not immediately possible, restrict Author-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with at least Author-level access to exploit. Additionally, consider implementing Web Application Firewall (WAF) rules to block malicious payloads targeting this vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.