CVE-2025-53279: 
WordPress vulnerability analysis and mitigation

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in Aman Popup addon for Ninja Forms through version 3.4. The vulnerability was discovered and reported on June 27, 2025, and is tracked as CVE-2025-53279. The issue specifically allows DOM-Based XSS attacks in the plugin's functionality (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction to exploit. The scope is changed, with low impact to confidentiality, integrity, and availability (Patchstack).

The vulnerability could allow an attacker to inject malicious scripts into the website, which would be executed when visitors access the affected pages. This could lead to the execution of unauthorized JavaScript code in users' browsers, potentially enabling attackers to steal session information, redirect users to malicious sites, or inject unwanted content (Patchstack).

Users are advised to update to version 3.5 or later of the Popup addon for Ninja Forms plugin, which contains the fix for this vulnerability. The issue has been patched in the latest release (Patchstack).