Security Alert Summary
The LotekMedia Popup Form plugin for WordPress contains a stored Cross-Site Scripting (XSS) vulnerability in its settings. Authenticated attackers with Administrator-level access can inject scripts into plugin settings that will execute on the frontend when the popup is displayed.
CVE Details
- CVE ID: CVE-2026-2420
- Affected component: LotekMedia Popup Form plugin for WordPress
- Affected versions: all versions up to, and including, 1.0.6
- Published: March 7, 2026 at 8:16:11 AM
- Last modified: March 7, 2026 at 8:16:11 AM
- CVSS v3.1: Base Score 4.4 (MEDIUM) — Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Requires an authenticated attacker with Administrator-level privileges (Privileges Required: HIGH); User Interaction: None
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE: CWE-79 (Cross-site Scripting)
Technical Details
According to the CVE description, the plugin fails to sufficiently sanitize input and escape output for values stored in its settings. This allows authenticated administrators to save data that includes arbitrary web scripts. When those settings are rendered in the frontend popup, the stored script executes in the context of visitors’ browsers (stored XSS).
The vulnerability exists in all versions up to and including 1.0.6. Exploitation requires an account with Administrator-level access or higher to insert the malicious payload into the plugin settings. The issue is identified as CWE-79.
How This Could Impact Your Website
In a typical site environment with an owner, internal staff who manage content, and an external contractor, an attacker who can access or control an administrator account could insert malicious script into the popup settings. Any visitor who sees the popup may have that script run in their browser.
Based on the CVSS impact metrics, expected consequences are limited in scope: small confidentiality exposure for data available to the page and limited integrity impact on displayed content. Practical risks include exposure of information visible on the popup and an increased risk of targeted phishing or social engineering if attacker-controlled content is used to trick users. The available information does not indicate server-side compromise or full site takeover.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and administrator accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior related to plugin settings or frontend content.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
