CVE-2025-12122 Overview
The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin's iframeBox shortcode in all versions up to, and including, 3.2.12. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the context of other users' browser sessions, potentially leading to session hijacking, credential theft, defacement, or malware distribution through compromised WordPress sites.
Affected Products
- Popup Box – Easily Create WordPress Popups plugin for WordPress versions up to and including 3.2.12
- WordPress installations using the vulnerable iframeBox shortcode functionality
- Sites where users have contributor-level or higher access permissions
Discovery Timeline
- 2026-02-18 - CVE CVE-2025-12122 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-12122
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists in the Popup Box plugin's iframeBox shortcode implementation. The shortcode processes user-supplied attributes without adequate input sanitization or output escaping, allowing malicious JavaScript code to be stored in the WordPress database and executed when rendered on the frontend.
The attack requires authentication with at least contributor-level privileges, meaning an attacker must have a valid WordPress account with content creation capabilities. Once malicious content is injected, it persists in the database and affects all users who view the compromised page, including administrators. The cross-site nature of the vulnerability means it can impact users across different origins when the scope is changed.
Root Cause
The root cause of this vulnerability is the lack of proper input validation and output encoding in the plugin's shortcode handler. When processing the iframeBox shortcode attributes, the plugin fails to sanitize user-controlled input before storing it in the database and does not properly escape the output when rendering the content on the page. This allows HTML and JavaScript code to be injected through shortcode attributes that are then rendered without modification in the page context.
Attack Vector
The attack vector is network-based and requires low privileges (contributor-level access). An attacker with valid WordPress credentials can create or edit a post or page containing the vulnerable iframeBox shortcode with malicious JavaScript embedded in its attributes. The attack does not require user interaction beyond the victim visiting the page containing the injected content.
The attacker crafts a shortcode with malicious attributes that include JavaScript event handlers or script elements. When a victim loads the page, the unescaped content is rendered in their browser, executing the attacker's JavaScript code in the context of the WordPress site. This can be leveraged to steal session cookies, perform actions on behalf of authenticated users, redirect users to malicious sites, or inject additional malicious content.
Detection Methods for CVE-2025-12122
Indicators of Compromise
- Unexpected JavaScript code or event handlers in post content containing iframeBox shortcodes
- Suspicious shortcode attributes with encoded or obfuscated JavaScript payloads
- Database entries in wp_posts containing malicious script tags within iframeBox shortcode blocks
- User reports of unexpected behavior, pop-ups, or redirects when viewing specific pages
Detection Strategies
- Review WordPress database content for posts and pages containing iframeBox shortcodes with suspicious attributes
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in shortcode submissions
- Deploy SentinelOne Singularity XDR for real-time detection of malicious script execution in the browser context
- Enable WordPress audit logging to track shortcode usage and content modifications by contributor accounts
Monitoring Recommendations
- Monitor WordPress admin and content creation activities for users with contributor-level access
- Configure alerts for unusual patterns of post editing or shortcode insertion
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Review server access logs for signs of automated exploitation attempts targeting the plugin
How to Mitigate CVE-2025-12122
Immediate Actions Required
- Update the Popup Box plugin to a version newer than 3.2.12 that includes the security patch
- Audit existing posts and pages for potentially malicious iframeBox shortcode content
- Temporarily disable the iframeBox shortcode functionality if an immediate update is not possible
- Review and restrict contributor-level access to trusted users only until the patch is applied
Patch Information
A security patch addressing this vulnerability is available. The fix can be reviewed in the WordPress Changeset Update. Additional vulnerability details and remediation guidance are available in the Wordfence Vulnerability Report.
Workarounds
- Disable the Popup Box plugin entirely until the update can be applied
- Remove or restrict the iframeBox shortcode by adding a filter to unregister it temporarily
- Implement strict Content Security Policy headers to limit script execution sources
- Demote contributor accounts to subscriber level or revoke access until the plugin is updated
# WordPress filter to disable the iframeBox shortcode temporarily
# Add to theme's functions.php or custom plugin
# remove_shortcode('iframeBox');
# This prevents the shortcode from rendering while maintaining existing content
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
