CVE-2019-25744

MEDIUM

WordPress Popup Builder 3.49 Persistent Cross-Site Scripting

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25744. PoCs published by Unk9vvN.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in WordPress Popup Builder 3.49 by injecting a malicious script into the popup title, which executes when the popup is rendered in the 'Add Post' or 'Add Page' sections.

Description

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field that execute when pages or posts display popup selections.

Exploits (1)

exploitdb WORKING POC
by Unk9vvN · textwebappsphp
https://www.exploit-db.com/exploits/47518

This exploit demonstrates a stored XSS vulnerability in WordPress Popup Builder 3.49 by injecting a malicious script into the popup title, which executes when the popup is rendered in the 'Add Post' or 'Add Page' sections.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Popup Builder 3.49
Auth required
Prerequisites: WordPress admin access · Popup Builder plugin version 3.49 installed
devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit
ExploitDB-47518
https://www.exploit-db.com/exploits/47518
Product product
Official Product Homepage
https://popup-builder.com/
Product product
Product Reference
https://wordpress.org/plugins/popup-builder/
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress Popup Builder 3.49 Persistent Cross-Site Scripting
https://www.vulncheck.com/advisories/wordpress-popup-builder-persistent-cross-site-scripting

Scores

CVSS v3 5.4
EPSS 0.0017
EPSS Percentile 6.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Popup-Builder/Popup Builder 3.49
Published Jun 04, 2026
Tracked Since Jun 04, 2026