anonhaven
Ad

CVE-2025-15611

MEDIUM CVSS 3.1: 5.4 EPSS 0.02%
Updated Apr 09, 2026
WordPress
Parameter Value
CVSS 5.4 (MEDIUM)
Affected Versions before 5.5.0
Fixed In 5.5.0
Type CWE-79 Cross-Site Scripting (XSS), CWE-918 (Server-Side Request Forgery (SSRF)), CWE-352 Cross-Site Request Forgery (CSRF)
Vendor WordPress
Public PoC No

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)
CWE-918 Server-Side Request Forgery (SSRF)
CWE-352 Cross-Site Request Forgery (CSRF)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Ays-Pro Popup_Box
cpe:2.3:a:ays-pro:popup_box:*:*:*:*:*:wordpress:*:*
 5.5.0

References 1

https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/
contact@wpscan.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3830

Unknown

None

CVE-2026-5809

WordPress

7.1

CVE-2026-5226

WordPress

6.1

CVE-2026-5217

WordPress

7.2

CVE-2026-5207

WordPress

6.5