Ays Popup Box
Moderate fix1 remedy
cpe:2.3:a:ays-pro:popup_box:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 6.1.1
Popup Box WordPress Plugin Cross-Site Request Forgery Vulnerability
Vulnerability
Patched
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Popup Box plugin for WordPress, affecting all versions through 6.1.1. The issue arises from a nonce verification flaw in the 'publish_unpublish_popupbox' function, which incorrectly validates a self-generated nonce instead of one provided in the request. This vulnerability allows unauthenticated attackers to manipulate the publish status of popups by sending a forged request, provided they can deceive a site administrator into clicking a link.
Impact
Exploitation of this vulnerability allows for unauthorized changes to the publish status of popups, potentially leading to unwanted content visibility or engagement on the site.
Reproduction
To reproduce this vulnerability, an attacker must craft a request that includes a forged nonce, bypassing the plugin's nonce verification. This can be done by tricking an administrator into clicking a link that triggers the request, such as through a phishing email or a compromised website.
Remediation
Users are advised to update the Popup Box plugin to version 6.1.2 or later, where this vulnerability has been patched.
Added: Jan 31, 2026, 3:19 PM
Updated: Jan 31, 2026, 3:19 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
0.6exploitability
7.4remediation
7.7relevance
2.5threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.