CVE-2025-4205 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Popup Maker plugin for WordPress, developed by danieliser. This plugin is widely used to create popups aimed at boosting sales, conversions, opt-ins, and subscriber counts on WordPress websites. The vulnerability exists in all versions up to and including 1.20.4 and stems from improper input sanitization and output escaping of the 'popupID' parameter. Specifically, authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into pages via this parameter. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, potentially compromising the confidentiality and integrity of user data. The vulnerability does not require user interaction to trigger once the malicious script is stored, and it affects the confidentiality and integrity of the system but not availability. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability falls under CWE-79, which is a common web application security weakness related to improper neutralization of input during web page generation, leading to XSS attacks.

For European organizations using WordPress websites with the Popup Maker plugin, this vulnerability poses a risk of unauthorized script execution that can lead to session hijacking, defacement, or redirection to malicious sites. Since the attack requires contributor-level access, the threat is more significant in environments where multiple users have elevated privileges, such as content management teams or agencies managing client websites. The stored nature of the XSS means that any visitor to the compromised page can be affected, potentially exposing large numbers of users to phishing or malware delivery. This can damage brand reputation, lead to data breaches involving personal data protected under GDPR, and cause regulatory and financial repercussions. The vulnerability's medium severity and the lack of user interaction required increase the risk profile, especially for e-commerce, media, and public sector websites prevalent in Europe. The impact on confidentiality and integrity is notable, although availability is not directly affected.

European organizations should immediately audit their WordPress installations to identify the presence of the Popup Maker plugin and its version. Until an official patch is released, organizations should restrict Contributor-level access strictly to trusted users and review existing user permissions to minimize the risk of exploitation. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'popupID' parameter can provide interim protection. Additionally, organizations should conduct thorough input validation and output encoding on any custom code interacting with the plugin. Monitoring website logs for unusual activities or script injections related to popups is recommended. Once a patch becomes available, prompt application of updates is critical. For high-risk environments, consider temporarily disabling the Popup Maker plugin or replacing it with alternative popup solutions that have no known vulnerabilities. User awareness training for administrators and contributors about the risks of XSS and safe content management practices will further reduce exploitation chances.