CVE-2025-25118

CVE-2025-25118 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS, CWE-79), in the WordPress plugin Top Bar – PopUps – by WPOptin (wpoptin) developed by Danish Ali Malik. The issue affects the plugin from unknown initial versions through 2.0.8 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

A remote, unauthenticated attacker can exploit this vulnerability with low attack complexity by crafting a malicious input that is reflected in a web page response, requiring user interaction such as clicking a specially crafted link. Successful exploitation executes arbitrary scripts in the victim's browser context, potentially leading to low impacts on confidentiality, integrity, and availability, with scope changed to enable cross-origin effects.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpoptin/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-7?_s_id=cve.