CVE-2025-39397
WordPress Anything Popup plugin <= 7.3 - Reflected Cross Site Scripting (XSS) vulnerabilityImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in [email protected] Anything Popup allows Reflected XSS. This issue affects Anything Popup: from n/a through 7.3.
We have discovered 13 live websites that are affected by CVE-2025-39397.
Affected Software
| Product |  Anything Popup |
| Category | Wordpress Plugins |
| Vulnerable Domains | 13 live websites (100% of Anything Popup install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Apr 24, 2025
- Updated - Apr 25, 2025
Credits
- Dimas Maulana (Patchstack Alliance) (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-39397 United States | 4 websites |
 Japan | 3 websites |
 Turkey | 2 websites |
 Australia | 1 websites |
 Germany | 1 websites |
 GB | 1 websites |
 India | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2025-39397| .com | 5 websites |
| .org | 2 websites |
| .co.jp | 1 websites |
| .co.uk | 1 websites |
| .com.au | 1 websites |
| .jp | 1 websites |
| .net | 1 websites |
Websites affected by CVE-2025-39397
Top websites that are affected by CVE-2025-39397. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************************.org | United States | ***,*** | |
| **.********.com | Germany | ***,*** | |
| *****************.org | United States | *,***,*** | |
| *************.***.au | Australia | *,***,*** | |
| ****************.com | United States | **,***,*** | |
| ****************.com | Turkey | **,***,*** | |
| ******.jp | Japan | **,***,*** | |
| ******.com | United States | **,***,*** | |
| **************.com | Turkey | **,***,*** | |
| ********.net | Japan | **,***,*** |
FAQ
CVE-2025-39397 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Anything Popup
A total of 13 websites have been identified as vulnerable to CVE-2025-39397, based on global website indexing conducted by WebTechSurvey.
The Anything Popup is affected by the CVE-2025-39397 vulnerability.
Anything Popup versions up to and including 7.3 are vulnerable to CVE-2025-39397.