CVE-2025-66111 identifies a Stored Cross-Site Scripting (XSS) vulnerability in the Nelio Popups plugin developed by Nelio Software, affecting all versions up to and including 1.3.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within popup content managed by the plugin. This flaw allows an attacker to inject malicious JavaScript code that is stored persistently and executed in the context of users viewing the affected popup. The attack vector is remote, requiring no authentication, but does require user interaction to trigger the malicious script execution. The vulnerability impacts confidentiality and integrity by potentially enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS v3.1 base score is 6.1, reflecting medium severity, with an attack vector of network, low attack complexity, no privileges required, user interaction required, and scope changed due to the impact extending beyond the vulnerable component. There are no known exploits in the wild at this time, and no official patches have been released, though the vendor is expected to address the issue. The plugin is widely used in WordPress environments to create and manage popups, making this vulnerability relevant to many websites that rely on this functionality for marketing, user engagement, or notifications.

For European organizations, the impact of this vulnerability can be significant depending on the extent of Nelio Popups usage within their web infrastructure. Exploitation could lead to unauthorized access to user sessions, theft of sensitive information such as cookies or credentials, and potential defacement or manipulation of website content. This can damage organizational reputation, lead to loss of customer trust, and potentially result in regulatory non-compliance under GDPR if personal data is compromised. E-commerce platforms and service providers using Nelio Popups for customer engagement are particularly at risk. The medium severity rating indicates that while the vulnerability is not critical, it still poses a tangible threat that could be leveraged as part of a broader attack chain. The lack of known exploits in the wild reduces immediate risk but should not lead to complacency. Organizations with high web traffic and customer interaction in Europe could face targeted attacks exploiting this vulnerability to conduct phishing, fraud, or data exfiltration campaigns.

Organizations should immediately inventory their WordPress installations to identify usage of Nelio Popups and the affected versions. Until an official patch is released, they should consider disabling the plugin or restricting popup content creation to trusted administrators only. Implementing a Web Application Firewall (WAF) with robust XSS filtering rules can help detect and block malicious payloads targeting this vulnerability. Input validation and output encoding should be enforced rigorously on all user-generated content within popups. Monitoring website logs and user reports for unusual popup behavior or unexpected script execution is critical. Educating website administrators and users about the risks of clicking on suspicious popups can reduce the likelihood of successful exploitation. Once patches become available, prompt application is essential. Additionally, employing Content Security Policy (CSP) headers can mitigate the impact of injected scripts by restricting script sources. Regular security audits and penetration testing focusing on web application vulnerabilities will help detect similar issues proactively.