CVE-2025-9856
📋 TL;DR
This stored XSS vulnerability in the Popup Builder WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts via the 'sg_popup' shortcode. The scripts execute when users view pages containing the injected content, potentially compromising visitor browsers. All WordPress sites using Popup Builder versions up to 4.4.1 are affected.
💻 Affected Systems
- Popup Builder – Create highly converting, mobile friendly marketing popups WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install malware on visitor systems through persistent script execution.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, redirect to phishing pages, or display unwanted content to site visitors.
If Mitigated
With proper user role management and content review processes, the impact is limited to potential content defacement by trusted users.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple. Public proof-of-concept exists in vulnerability references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3384281
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Popup Builder plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 4.4.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily remove contributor-level posting permissions until patch is applied
Disable Shortcode
allRemove or disable the vulnerable 'sg_popup' shortcode functionality
Add to theme's functions.php: remove_shortcode('sg_popup');
🧯 If You Can't Patch
- Implement strict content review process for all posts/pages created by contributors
- Install web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Popup Builder version. If version is 4.4.1 or lower, you are vulnerable.Check Version:
wp plugin list --name=popup-builder --field=versionVerify Fix Applied:
After updating, verify plugin version shows 4.4.2 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with sg_popup parameters
- Multiple content updates from contributor accounts
Network Indicators:
- Script tags with unusual attributes in page responses
- External script loads from unexpected domains
SIEM Query:
source="wordpress" AND (sg_popup OR script OR javascript) AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/classes/popups/SGPopup.php#L1368
- https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/helpers/AdminHelper.php#L438
- https://plugins.trac.wordpress.org/changeset/3384281
- https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735?source=cve
