cleantalk
Vulnerabilities and Security Researches

LotekMedia Popup Form, CVE-2026-2420

CVE, Research URL

CVE-2026-2420

Home page URL

Security reports for LotekMedia Popup Form

Application

LotekMedia Popup Form

Published on
Mar 07, 2026
Research Description
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the frontend of the site where the popup is displayed.
Affected versions
max 1.0.6.
Status
vulnerable
Previous vulnerability researches
Page and Post Clone (CVE-2026-2893) , Apr 15, 2026
Page and Post Clone (CVE-2024-5942) , Jun 30, 2024
New vulnerability
All push notification for WP (CVE-2026-0816) , Apr 16, 2026
Slideshow Wp (CVE-2026-1885) , Apr 16, 2026
XO Event Calendar (CVE-2026-0556) , Apr 16, 2026
WP App Bar (CVE-2026-1074) , Apr 16, 2026
EM Cost Calculator (CVE-2026-2506) , Apr 16, 2026