PatchSiren cyber security CVE debrief
CVE-2019-25744 Popup-Builder CVE debrief
CVE-2019-25744 is a persistent cross-site scripting (XSS) vulnerability in WordPress Popup Builder 3.49. The vulnerability allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field, which execute when pages or posts display popup selections.
- Vendor
- Popup-Builder
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-10
Who should care
Users of WordPress Popup Builder 3.49, administrators of WordPress sites with the plugin installed, and security teams monitoring for XSS vulnerabilities.
Technical summary
The vulnerability has a CVSS score of 5.1 and is classified as MEDIUM severity. It requires authentication (PR:L) and user interaction (UI:P) to exploit. The attack vector is network-based (AV:N), and the vulnerability can lead to localized impacts on confidentiality (VC:N) and integrity (VI:N).
Defensive priority
MEDIUM
Recommended defensive actions
- Update WordPress Popup Builder to a version that fixes the XSS vulnerability.
- Validate and sanitize user input to prevent script injection.
- Implement Content Security Policy (CSP) to mitigate XSS attacks.
Evidence notes
The CVE record was published on 2026-06-04T14:16:33.717Z and last modified on 2026-06-10T02:16:32.290Z. The vulnerability affects Popup Builder 3.49.
Official resources
CVE-2019-25744 was published on 2019-04-09 by the CVE Numbering Authority (CNA). The vulnerability affects Popup Builder 3.49 and allows authenticated attackers to inject malicious scripts via the post.php endpoint.