CVE-2025-24746 is a stored cross-site scripting (XSS) vulnerability identified in the Daniel Iser Popup Maker plugin for WordPress, affecting all versions up to 1.20.2. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored persistently within the plugin's data. When a victim visits a page containing the malicious popup, the injected script executes in their browser context. This can lead to a range of attacks including session hijacking, theft of cookies or credentials, unauthorized actions on behalf of the user, and redirection to phishing or malware sites. The vulnerability does not require authentication, increasing its risk profile, and no user interaction beyond visiting the affected page is necessary for exploitation. Although no known exploits have been reported in the wild, the widespread use of Popup Maker in WordPress sites makes this a significant threat. The lack of an official patch at the time of publication means that affected sites remain vulnerable. The vulnerability was reserved and published in January 2025, with Patchstack as the assigner. The absence of a CVSS score necessitates an expert severity assessment based on the technical details and impact potential.

The impact of CVE-2025-24746 is considerable for organizations using the Popup Maker plugin on their WordPress sites. Successful exploitation can compromise user confidentiality by stealing session cookies and personal data, undermine integrity by allowing attackers to inject malicious content or manipulate site behavior, and potentially affect availability if attackers use the vulnerability to conduct further attacks such as defacement or redirect users to denial-of-service resources. Since the vulnerability is stored XSS, the malicious payload persists and can affect multiple users over time. This is especially critical for e-commerce, financial, healthcare, and other sectors where trust and data protection are paramount. The ease of exploitation without authentication or complex prerequisites increases the likelihood of attacks, which could lead to reputational damage, regulatory penalties, and financial losses. Organizations relying on Popup Maker for marketing or user engagement must consider the risk of customer data exposure and loss of user trust.

Organizations should immediately review their use of the Popup Maker plugin and plan to update to a patched version once available. Until a patch is released, mitigation steps include disabling or uninstalling the Popup Maker plugin to eliminate the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads can provide temporary protection. Site administrators should audit all popup content for suspicious or unexpected scripts and sanitize inputs manually if feasible. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts. Regularly monitoring web logs and user reports for signs of exploitation is advised. Additionally, educating users about the risks of clicking suspicious links and maintaining up-to-date backups will aid in recovery if an attack occurs. Finally, subscribing to vendor and security mailing lists will ensure timely awareness of patches and advisories.