CVE-2025-64264 in Popup Addon for Ninja Forms Plugin
Summary
by MITRE • 11/13/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman Popup addon for Ninja Forms popup-addon-for-ninja-forms allows Stored XSS.This issue affects Popup addon for Ninja Forms: from n/a through <= 3.5.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/13/2025
This vulnerability represents a critical cross-site scripting flaw that specifically targets the Aman Popup addon for Ninja Forms, a popular WordPress plugin used for creating and managing form popups. The issue manifests as a stored XSS vulnerability, meaning that malicious script code can be permanently injected into the web application's database and subsequently executed whenever affected pages are loaded by unsuspecting users. This particular vulnerability affects versions of the plugin from an unspecified beginning version through and including version 3.5.1, creating a substantial attack surface for potential exploitation.
The technical flaw stems from inadequate input sanitization during the web page generation process within the popup addon functionality. When users create or modify popup forms through the Ninja Forms interface, the addon fails to properly neutralize user-supplied input before storing it in the database. This insufficient sanitization allows attackers to inject malicious JavaScript code through form fields, which then gets stored and executed in the context of other users' browsers when they interact with the affected popup functionality. The vulnerability operates at the application layer and specifically targets the HTML rendering pipeline where user input is processed for display in popup windows.
The operational impact of this stored XSS vulnerability is severe and multifaceted. Attackers can exploit this weakness to steal session cookies, authenticate as legitimate users, access sensitive data, perform unauthorized actions on behalf of users, and potentially escalate privileges within the WordPress environment. The stored nature of the vulnerability means that once exploited, the malicious payload persists and affects all users who encounter the affected popup content, making it particularly dangerous for websites with high traffic or those managing sensitive user information. This vulnerability could enable attackers to compromise entire WordPress installations or access user accounts with elevated privileges, depending on the specific implementation and user permissions within the site.
Security mitigations for this vulnerability should focus on immediate patching of the affected plugin to version 3.5.2 or later, which contains the necessary fixes for input sanitization. Administrators should also implement additional defensive measures including input validation at multiple layers, output encoding for all dynamic content, and regular security scanning of WordPress installations. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and represents a clear violation of secure coding practices that should be enforced through proper input sanitization and output encoding mechanisms. Organizations should also consider implementing web application firewalls and content security policies to provide additional protection against similar vulnerabilities in their web applications.