CVE-2025-25105 is a stored Cross-site Scripting (XSS) vulnerability found in the coffeestudios Pop Up plugin, specifically affecting versions up to and including 0.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be injected and stored persistently within the plugin's output. When a victim visits a compromised page, the malicious script executes in their browser context, potentially leading to theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the user. Stored XSS is particularly dangerous because the payload is saved on the server and delivered to multiple users, increasing the attack surface. The plugin in question is designed to create SEO-optimized pop-ups, which are commonly used on websites to engage visitors, making it a likely target for attackers seeking to exploit high-traffic sites. No CVSS score has been assigned yet, and no patches or known exploits are currently documented. The vulnerability was reserved and published in early February 2025 by Patchstack, indicating recent discovery. The absence of authentication requirements and the persistent nature of the vulnerability make it a significant risk for affected sites.

The impact of CVE-2025-25105 is substantial for organizations using the coffeestudios Pop Up plugin. Successful exploitation can compromise the confidentiality and integrity of user data by enabling attackers to steal session cookies, credentials, or perform actions on behalf of users. This can lead to account takeover, unauthorized transactions, or distribution of malware through malicious scripts. The availability of the affected service may also be indirectly impacted if attackers use the vulnerability to deface websites or inject disruptive content. Since the vulnerability is stored XSS, it affects all users who visit the compromised pages, amplifying the potential damage. Organizations relying on this plugin for marketing or user engagement may suffer reputational damage and loss of customer trust if exploited. The lack of an official patch increases the urgency for interim mitigations. Attackers do not require authentication or user interaction beyond visiting the affected page, which lowers the barrier for exploitation and increases the threat level.

To mitigate CVE-2025-25105, organizations should immediately audit their use of the coffeestudios Pop Up plugin and consider disabling it until a patch is available. Implement strict input validation on all user-supplied data to ensure that scripts or HTML tags are not accepted. Apply context-sensitive output encoding/escaping on all data rendered in web pages, especially within pop-up content. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Monitor web server and application logs for unusual input patterns or suspicious activity indicative of exploitation attempts. Educate web developers and administrators about secure coding practices related to XSS. If possible, isolate or sandbox the pop-up functionality to limit the scope of any injected scripts. Stay updated with vendor announcements for official patches and apply them promptly once released. Additionally, consider using web application firewalls (WAFs) with rules targeting XSS payloads as a temporary protective measure.