What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman Popup addon for Ninja Forms popup-addon-for-ninja-forms allows DOM-Based XSS.This issue affects Popup addon for Ninja Forms: from n/a through <= 3.4.
Explanation of Vulnerability in Simple Terms
02Summary
The Popup addon for Ninja Forms contains a cross-site scripting (XSS) vulnerability in versions 3.4 and earlier. An authenticated user with low privileges can inject malicious scripts that execute in other users' browsers when they interact with popup content. The vulnerability requires user interaction and can affect site visitors across the application.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in other users' browsers when they view or interact with popups.
Potential impact on your site
04Site Impact
Site visitors and admins could have their sessions hijacked, credentials stolen, or be redirected to malicious sites via popup content.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site; victim must view or interact with the affected popup.
Key dates
06Disclosure timeline
June 27, 2025
CVE published
April 28, 2026
Record updated