CVE-2025-66111 identifies a stored Cross-site Scripting (XSS) vulnerability in the Nelio Popups plugin developed by Nelio Software, affecting all versions up to and including 1.3.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within popup content managed by the plugin. Stored XSS means that malicious scripts injected by an attacker are permanently stored on the target system (e.g., in the popup content database) and executed whenever a user views the affected popup. This can enable attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The CVSS v3.1 base score is 6.1, indicating medium severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, but requiring user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable module. Confidentiality and integrity impacts are low, and availability is unaffected. No known exploits are currently reported in the wild. The vulnerability is relevant for websites using Nelio Popups, a WordPress plugin commonly used to create and manage popup windows for marketing or user engagement purposes. Since WordPress powers a significant portion of European websites, especially in e-commerce and media sectors, this vulnerability could be leveraged to target site visitors or administrators. The lack of a patch link indicates that a fix may not yet be publicly available, underscoring the need for vigilance and interim mitigations.

For European organizations, the primary impact of CVE-2025-66111 lies in the potential compromise of user confidentiality and integrity through the execution of malicious scripts in users’ browsers. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of users. While availability is not impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be significant. Organizations relying on Nelio Popups for customer engagement, marketing, or user interaction on their WordPress sites are at risk, especially if these sites handle sensitive user data or financial transactions. Attackers could exploit this vulnerability to target customers or employees, potentially facilitating phishing or further attacks. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once a patch is released or if the vulnerability is disclosed widely. European entities with high web traffic and customer interaction through WordPress sites are particularly vulnerable, making proactive mitigation essential.

1. Monitor Nelio Software’s official channels and trusted vulnerability databases for the release of a security patch addressing CVE-2025-66111 and apply it promptly once available. 2. Until a patch is available, implement strict input validation and sanitization on all user inputs that can be rendered in popups, either through custom code or security plugins that provide XSS filtering. 3. Deploy a robust Content Security Policy (CSP) that restricts the execution of inline scripts and limits sources of executable scripts to trusted domains, reducing the impact of potential XSS payloads. 4. Regularly audit and review popup content for suspicious or unauthorized scripts or HTML injections. 5. Educate site administrators and content creators about the risks of injecting untrusted content into popups. 6. Employ Web Application Firewalls (WAFs) with rules designed to detect and block common XSS attack patterns targeting WordPress plugins. 7. Maintain up-to-date backups of website content and databases to enable rapid recovery if an attack occurs. 8. Limit user permissions on WordPress to the minimum necessary to reduce the risk of malicious content injection by compromised accounts.