CVE-2025-64264: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Popup addon for Ninja Forms WordPress plugin, identified as CVE-2025-64264. The vulnerability affects versions up to and including 3.5.1 of the plugin. The issue was discovered on October 31, 2025, and publicly disclosed on November 13, 2025 (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality (Rapid7).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (Rapid7).

The vulnerability has been patched in version 3.5.2 of the Popup addon for Ninja Forms plugin. Users are advised to update to version 3.5.2 or later to remediate the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).