Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.4
LotekMedia Popup Form plugin for WordPress: Malicious Code Injection Risk
CVE-2026-2420
Summary
An attacker with admin access can inject malicious code into your WordPress site, which can harm users or steal their data. This affects all versions of the plugin up to 1.0.6. To stay safe, update the plugin to a fixed version or remove it if you're not using it.
Original title
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitizatio...
Original description
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the frontend of the site where the popup is displayed.
nvd CVSS3.1
4.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026