CVE-2026-2420
Stored XSS in LotekMedia Popup Form Plugin Allows Script Injection
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lotekmedia | popup_form | to 1.0.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2420 is a vulnerability in the LotekMedia Popup Form WordPress plugin, affecting all versions up to and including 1.0.6. The issue arises from insufficient input sanitization and output escaping in the plugin settings, which allows authenticated users with Administrator-level access or higher to inject arbitrary web scripts. These scripts execute whenever a user visits the frontend page where the popup is displayed.
Technically, the vulnerability is due to improper sanitization of user inputs, especially in the AJAX email sending function where deprecated and unsafe functions like mysql_real_escape_string() are used. This leads to the possibility of Stored Cross-Site Scripting (XSS) and Email Header Injection attacks, as user-supplied name and email inputs are used directly in email headers without proper validation.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing attackers with administrator access to inject malicious scripts into your website's popup forms. These scripts will execute in the browsers of users who visit the affected pages, potentially leading to theft of sensitive information, session hijacking, or other malicious actions."}, {'type': 'paragraph', 'content': "Additionally, the vulnerability can be exploited to perform Email Header Injection, enabling attackers to send spam or phishing emails from your website's email system. This can damage your site's reputation, lead to blacklisting of your email domain, and cause trust issues with your users."}] [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves stored cross-site scripting and email header injection in the LotekMedia Popup Form WordPress plugin, specifically in versions up to 1.0.6. Detection involves checking if the vulnerable plugin version is installed and monitoring for suspicious popup form behavior or unexpected email sending.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can:'}, {'type': 'list_item', 'content': "Check the installed WordPress plugins for the presence of 'LotekMedia Popup Form' and verify its version is 1.0.6 or earlier."}, {'type': 'list_item', 'content': 'Search the plugin files for the presence of the vulnerable function `ltm_send_popup_mail()` in the `ltm-popup-form.php` file.'}, {'type': 'list_item', 'content': 'Monitor web server logs for suspicious POST requests to AJAX endpoints like `wp-admin/admin-ajax.php` with the action parameter `ltm_send_popup_mail`.'}, {'type': 'list_item', 'content': 'Use commands such as the following on the server hosting WordPress:'}, {'type': 'list_item', 'content': "1. To find the plugin and its version: `grep -r 'Plugin Name: LotekMedia Popup Form' wp-content/plugins/` and check the plugin version in its main PHP file header."}, {'type': 'list_item', 'content': "2. To search for the vulnerable function: `grep -r 'function ltm_send_popup_mail' wp-content/plugins/ltm-popup-form/`"}, {'type': 'list_item', 'content': "3. To monitor recent AJAX requests related to the plugin in web server logs: `grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'ltm_send_popup_mail'` (adjust log path as needed)."}, {'type': 'paragraph', 'content': 'Additionally, scanning for stored XSS payloads in the plugin settings or popup content may help detect exploitation attempts.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-2420 vulnerability in the LotekMedia Popup Form plugin, immediate steps include:
- Update the plugin to a version later than 1.0.6 if available, where the vulnerability is fixed.
- If no update is available, temporarily deactivate or uninstall the LotekMedia Popup Form plugin to prevent exploitation.
- Restrict administrator-level access to trusted users only, as exploitation requires authenticated users with such privileges.
- Review and sanitize any user inputs in the plugin settings manually to remove potentially malicious scripts or header injection payloads.
- Monitor outgoing emails from the WordPress site for suspicious or unauthorized messages that may indicate exploitation.
Long-term mitigation involves patching the plugin code to properly sanitize and validate inputs, replacing deprecated functions like `mysql_real_escape_string()`, and ensuring robust nonce verification and output escaping.