CVE-2025-9490 is a stored Cross-Site Scripting (XSS) vulnerability found in the Popup Maker WordPress plugin developed by danieliser, specifically affecting all versions up to and including 1.20.6. The vulnerability arises due to improper input sanitization and output escaping of the 'title' parameter within the plugin. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary malicious JavaScript code into pages generated by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected website. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), reflecting a network attack vector with low attack complexity, requiring privileges (Contributor or above), no user interaction, and impacting confidentiality and integrity with a scope change. No known exploits have been reported in the wild as of the publication date (September 26, 2025). This vulnerability is particularly critical for WordPress sites using the Popup Maker plugin to boost sales and conversions, as it can undermine user trust and site integrity.

For European organizations, this vulnerability poses a significant risk especially for businesses relying on WordPress websites with the Popup Maker plugin for marketing, sales, or subscriber engagement. Exploitation could lead to unauthorized script execution affecting site visitors and administrators, resulting in data theft, session hijacking, or defacement. This can damage brand reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is compromised), and cause financial losses. Since the vulnerability requires Contributor-level access, insider threats or compromised accounts could be leveraged by attackers. The scope change in the CVSS score indicates that the vulnerability could affect resources beyond the initially compromised component, potentially impacting other parts of the website or connected systems. European organizations with e-commerce, media, or customer engagement platforms using this plugin are at heightened risk.

1. Immediate upgrade: Organizations should promptly update the Popup Maker plugin to the latest version once a patch is released by the vendor. Since no patch links are currently available, monitoring vendor advisories is critical. 2. Access control review: Restrict Contributor-level and higher privileges strictly to trusted users. Implement multi-factor authentication (MFA) to reduce the risk of account compromise. 3. Input validation and sanitization: Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'title' parameter. 4. Content Security Policy (CSP): Deploy strict CSP headers to mitigate the impact of XSS by restricting script execution sources. 5. Regular security audits: Conduct periodic code reviews and vulnerability scans focusing on WordPress plugins and user input handling. 6. Incident response readiness: Prepare to detect and respond to potential exploitation attempts, including monitoring logs for anomalous activities related to the plugin. 7. User awareness: Educate site administrators and contributors about the risks of XSS and safe content management practices.