CVE-2026-2420 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the LotekMedia Popup Form plugin for WordPress in all versions up to and including 1.0.6. The root cause is insufficient sanitization and escaping of input data within the plugin's settings interface, which allows authenticated users with Administrator or higher privileges to inject arbitrary JavaScript code. This malicious code is then stored persistently and executed in the browsers of any users who visit frontend pages where the popup form is rendered. Because the vulnerability requires administrative access to exploit, it primarily poses a risk from insider threats or attackers who have already compromised admin credentials. The vulnerability impacts confidentiality and integrity by enabling script injection that could steal session tokens, deface content, or perform unauthorized actions on behalf of users. The CVSS 3.1 score is 4.4 (medium), reflecting network attack vector, high attack complexity, required privileges, no user interaction, and limited confidentiality and integrity impact without availability effects. No public exploits have been observed, but the vulnerability remains a concern for WordPress sites using this plugin, especially those with multiple administrators or less stringent access controls.

The primary impact of this vulnerability is the potential for malicious script injection that can compromise user session data, deface website content, or conduct unauthorized actions under the context of affected users. Since the exploit requires administrator-level access, the risk is elevated in environments where admin credentials are weak, reused, or compromised. Attackers could leverage this to escalate privileges, pivot to other parts of the network, or conduct phishing attacks targeting site visitors. The vulnerability undermines the confidentiality and integrity of the website and its users but does not affect availability. Organizations running WordPress sites with the LotekMedia Popup Form plugin are at risk of reputational damage, data leakage, and loss of user trust if exploited. The medium severity score indicates moderate urgency but should not be ignored, especially in high-value or high-traffic environments.

To mitigate this vulnerability, organizations should first update the LotekMedia Popup Form plugin to a patched version once released by the vendor. Until a patch is available, restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious script injections in plugin settings or frontend pages. Conduct regular audits of plugin settings for unauthorized changes and monitor logs for anomalous administrator activity. Additionally, apply Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the frontend. Educate administrators on secure plugin management and the risks of stored XSS. Finally, consider isolating or disabling the vulnerable plugin if it is not essential to reduce the attack surface.