CVE-2025-12122
Stored XSS in Popup Box WordPress Plugin iframeBox Shortcode
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| popup_box | popup_box | to 3.2.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows attackers with contributor-level access or above to inject malicious scripts into pages via the iframe shortcode.
When other users visit these pages, the injected scripts execute in their browsers, which can lead to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of the user.
The CVSS score of 6.4 indicates a medium severity impact, with potential confidentiality and integrity loss but no impact on availability.
Can you explain this vulnerability to me?
The Popup Box β Easily Create WordPress Popups plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'iframeBox' shortcode in all versions up to and including 3.2.12.
This vulnerability exists because the plugin does not properly sanitize or escape user-supplied attributes in the iframe shortcode.
As a result, authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'iframeBox' shortcode in the Popup Box WordPress plugin. Detection typically involves identifying pages or posts where the iframeBox shortcode is used with potentially malicious or unexpected iframe attributes.
To detect exploitation attempts or presence of malicious iframe attributes, you can search your WordPress database or content for iframeBox shortcode usage with suspicious scripts or unusual attribute values.
- Use a database query to find posts containing the iframeBox shortcode, for example in MySQL: SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[iframeBox%';
- Search for suspicious iframe attributes or script tags within posts: SELECT ID, post_content FROM wp_posts WHERE post_content REGEXP '<iframe[^>]*script|javascript:';
- On the server, you can use grep to scan WordPress content files or backups for suspicious iframeBox shortcode usage: grep -r '\[iframeBox' /path/to/wordpress/wp-content/
Additionally, monitoring web server logs for unusual requests or payloads targeting the iframeBox shortcode may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Popup Box WordPress plugin to version 3.2.13 or later, which includes a security fix that properly sanitizes and escapes iframe attributes to prevent injection attacks.
If immediate updating is not possible, restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with contributor-level access or above to exploit.
Consider temporarily disabling or removing the iframeBox shortcode usage in your WordPress content until the plugin is updated.
Monitor your site for suspicious activity or injected scripts and clean any compromised content.