CVE-2025-0897: 
WordPress vulnerability analysis and mitigation

The Modal Window plugin for WordPress (versions <= 6.1.4) contains a Stored Cross-Site Scripting vulnerability via the plugin's 'iframeBox' feature. The vulnerability was discovered and disclosed on February 19, 2025, and is tracked as CVE-2025-0897 (NVD, Wordfence).

The vulnerability exists in the Modal Window WordPress plugin's 'iframeBox' functionality, which allows for the creation of popup modal windows. The issue has been assigned a CVSS v3.1 score indicating network vector (AV:N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction needed (UI:N), with changed scope (S:C), and low confidentiality and integrity impact (C:L, I:L) with no availability impact (A:N) (Wordfence).

The vulnerability could allow attackers to inject and store malicious scripts that execute when users view the affected modal windows, potentially leading to unauthorized data access or manipulation of website content (NVD).

Website administrators using the Modal Window plugin should update to version 6.1.5 or later, which contains security fixes for this vulnerability. The fix was implemented in the plugin's changelog as part of the security improvements (WordPress Plugin).