Cybersecurity Vulnerabilities

Critical Stored XSS Vulnerability Discovered in Nelio Popups WordPress Plugin (CVE-2025-66111)

November 21, 2025 - By 

Overview

A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66111, has been discovered in the Nelio Popups WordPress plugin. This vulnerability affects versions 1.3.0 and below. A successful exploit could allow attackers to inject malicious scripts into the plugin’s settings, which are then executed in the browsers of other users who access the affected WordPress dashboard. This can lead to various malicious activities, including account compromise and malware distribution.

Technical Details

The vulnerability resides in the improper neutralization of user-supplied input during web page generation within the Nelio Popups plugin. Specifically, the plugin fails to adequately sanitize input fields used when creating or modifying popup content and settings. An attacker with sufficient privileges (e.g., administrator, editor, or a contributor with the appropriate capabilities, depending on how permissions are configured) can inject malicious JavaScript code into these fields. This code is then stored in the WordPress database and executed whenever an administrator or other authorized user accesses the affected popup settings or when the popup is displayed on the front-end (if the XSS is triggered there).

CVSS Analysis

Currently, the CVSS score and severity level for CVE-2025-66111 are marked as N/A. However, given the nature of Stored XSS vulnerabilities and the potential for significant impact, it’s crucial to address this issue promptly. A more formal CVSS score will likely be assigned as analysis continues by vulnerability databases and security researchers.

Possible Impact

Successful exploitation of this Stored XSS vulnerability could have significant consequences:

  • Account Takeover: Attackers could steal administrator cookies and hijack their accounts, gaining complete control over the WordPress website.
  • Malware Distribution: Malicious scripts could be used to redirect users to websites hosting malware, infecting their computers.
  • Defacement: The website could be defaced with unwanted content, damaging the reputation of the organization.
  • Data Theft: Sensitive data stored within the WordPress database could be accessed and stolen.

Mitigation or Patch Steps

The primary mitigation step is to update the Nelio Popups plugin to the latest version as soon as a patched version becomes available. Check the Nelio Software website or the WordPress plugin repository for updates. If an update is not yet available, consider the following temporary workarounds, though they may impact plugin functionality:

  • Disable the Plugin: Temporarily disable the Nelio Popups plugin until a patched version is released.
  • Restrict User Privileges: Limit the number of users with access to modify popup content and settings.
  • Input Sanitization: Implement strict input validation and sanitization for all user-supplied input fields used by the plugin (this requires technical expertise). It is highly recommended to wait for the official patch provided by the vendor.

References

Patchstack Vulnerability Database: Nelio Popups XSS Vulnerability

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *