CVE-2025-50027: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the xootix Login/Signup Popup WordPress plugin, affecting versions up to 2.9.4. The vulnerability was discovered by Nabil Irawan and was publicly disclosed on June 19, 2025. This security issue has been assigned CVE-2025-50027 and is classified as an Improper Neutralization of Input During Web Page Generation vulnerability (Wiz, Patchstack).

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 5.9 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L, indicating that the vulnerability requires high privileges and user interaction to exploit, but can potentially affect resources beyond the security scope of the affected component (Wiz).

The vulnerability enables attackers to inject malicious scripts into web pages, which can then be executed when users visit the affected pages. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' browsers (Wiz, Patchstack).

Users are advised to update to version 2.9.5 or later of the Login/Signup Popup plugin to address this vulnerability. This is the primary and recommended mitigation strategy (Wiz, Patchstack).