cleantalk
Vulnerabilities and Security Researches

Popup Builder – Create highly converting, mobile friendly marketing popups., CVE-2025-9856

CVE, Research URL

CVE-2025-9856

Home page URL

Security reports for Popup Builder – Create highly converting, mobile friendly marketing popups.

Application

Popup Builder – Create highly converting, mobile friendly marketing popups.

Published on
Dec 13, 2025
Research Description
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.4.2.
Status
vulnerable
Previous vulnerability researches
ContentMX Content Publisher (CVE-2025-9889) , Apr 23, 2026
ContentMX Content Publisher (CVE-2025-31555) , Apr 03, 2025
New vulnerability
LightGallery WP (CVE-2025-5092) , Apr 24, 2026
Private WP suite (CVE-2026-2719) , Apr 24, 2026
Sitekit (CVE-2025-58229) , Apr 24, 2026
Skimlinks Affiliate Marketing Tool (CVE-2025-57944) , Apr 24, 2026
Switch CTA Box (CVE-2026-4088) , Apr 24, 2026