5.4

CVE-2025-15611

Exploit

Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups < 5.5.0 - Unauthenticated Stored Cross-Site Scripting

The Popup Box  WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.
Mögliche Gegenmaßnahme
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups: Update to version 5.5.0, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ays-proPopup Box SwPlatformwordpress Version < 5.5.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Version [*, 5.5.0)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.034
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b658052-f283-4a47-a440-dbd7acded186
Third Party Advisory