CVE-2019-25744

MEDIUM WAF: High

CVSS 5.4 Published: 2026-06-04

CWE-79

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field that execute when pages or posts display popup selections.

WAF Coverage Analysis

Cross-Site Scripting (XSS) High WAF Coverage

OWASP: A03:2021 Injection

941xxx - XSS / XXE

References

popup-builder.com
wordpress.org
www.exploit-db.com
www.vulncheck.com

Back to CVE Database