Attack Vectors

CVE-2025-12122 is a Medium-severity Stored Cross-Site Scripting (XSS) issue affecting Popup Box – Easily Create WordPress Popups (slug: popup-box) in versions 3.2.12 and earlier.

The primary attack path is through the plugin’s iframeBox shortcode. An attacker who already has an authenticated WordPress account with at least Contributor permissions can insert malicious script content into a page or post via user-supplied shortcode attributes. Because it is “stored,” the script can run later for anyone who views the impacted page.

This matters for organizations that allow multiple internal users, agencies, or contractors to create or edit content. Even when logins are required, Contributor-level access is common in marketing workflows and can be a realistic foothold for abuse if an account is compromised or misused.

Security Weakness

According to the published advisory, the plugin is vulnerable due to insufficient input sanitization and output escaping for user-supplied attributes in the iframeBox shortcode across all affected versions (up to and including 3.2.12).

In practical terms, this weakness can allow attacker-controlled content to be saved into WordPress pages and then rendered in browsers as active code, rather than as plain text. Because the vulnerability is tied to content rendering, it can impact visitors, customers, and employees who load the affected pages.

Remediation: Update Popup Box – Easily Create WordPress Popups to version 3.2.13 or a newer patched version, as recommended in the advisory source.

Technical or Business Impacts

For marketing and business leadership, Stored XSS is primarily a trust and brand-risk issue. If exploited, site pages can display or execute unauthorized behavior that undermines customer confidence and damages campaign performance.

Potential impacts include: disruption of landing page journeys, unauthorized changes to what users see or where they are sent, theft of session-related data in certain scenarios, and increased exposure to fraud or impersonation attempts. For organizations with regulated obligations, it may also create compliance concerns if the incident affects user data or audit requirements.

This vulnerability has a CVSS 6.4 (Medium) rating (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), which reflects that exploitation is feasible over the network but requires an authenticated user role (Contributor+). From a risk perspective, that means prioritization should consider how many users have content-authoring access, whether third parties have accounts, and how well accounts are protected.

Similar Attacks

Stored XSS has been used in real-world incidents to inject malicious scripts into websites and affect visitors at scale. Examples include:

Magecart web skimming campaigns (Tripwire overview) — attackers inject scripts into sites to capture user-entered data and monetize stolen information.

Wordfence incident reports and plugin vulnerability write-ups (Wordfence blog) — multiple documented cases where WordPress plugin weaknesses enabled script injection and downstream business impact.

Cross-site scripting (XSS) impact overview (Cloudflare Learning Center) — explains common consequences of XSS, including session abuse and user redirection, in business-friendly terms.