WordPress Security Bulletin: The Popup Box 6 Easily Create WordPress Popups Plugin Vulnerability (CVE-2025-12122)

Security Alert Summary

The Popup Box 6 Easily Create WordPress Popups plugin for WordPress (referred to here as “Popup Box”) is vulnerable to stored Cross-Site Scripting (XSS) via its iframeBox shortcode in all versions up to, and including, 3.2.12. Insufficient input sanitization and output escaping of user-supplied shortcode attributes allows authenticated users with contributor-level access and above to inject scripts that execute when an injected page is viewed.

CVE Details

• CVE ID: CVE-2025-12122
• Affected plugin / component: The Popup Box 6 Easily Create WordPress Popups plugin for WordPress
• Affected versions: All versions up to, and including, 3.2.12
• Published: February 18, 2026 at 6:16:33 AM UTC
• Last modified: February 18, 2026 at 6:16:33 AM UTC
• CVSS v3.1: Base Score 6.4, Medium — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
• Authentication / privileges / user interaction: Authentication required: Yes (authenticated). Privileges required: Low (contributor-level access and above). User interaction: None.
• Primary impact: Confidentiality: Low; Integrity: Low; Availability: None.
• CWE / weakness: CWE-78

Technical Details

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the plugin’s iframeBox shortcode. According to the CVE description, the plugin fails to sufficiently sanitize input and escape output for user-supplied shortcode attributes. Because the plugin stores or renders those attributes without proper filtering and escaping, an authenticated user with contributor-level access or higher can inject arbitrary web scripts into pages that include the crafted shortcode. Those scripts will execute in the context of any visitor or user who loads the affected page.

No additional functions, REST endpoints, or patch details are specified in the CVE entry beyond the iframeBox shortcode and the general cause of insufficient sanitization and escaping.

How This Could Impact Your Website

In a small organization, a contractor or contributor with editing privileges could add or edit content that includes a malicious iframeBox shortcode. When other staff, site editors, or visitors view the affected page, injected scripts could run in their browsers. Practical consequences include exposure of internal user data visible in the page context (for example, email addresses displayed on pages), session-based information available to the browser, or actions taken in the context of an authenticated user’s session depending on what the injected script attempts to do.

This increases the risk of targeted phishing or social-engineering campaigns against staff whose information is exposed. If you9re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles; limit contributor and editor access where possible.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual behavior, such as unexpected post edits or new shortcode usage.

If you9d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3410472%40popup-box&new=3410472%40popup-box&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/a7eeb557-0528-422a-aae7-3f99154953df?source=cve