CVE-2025-15611

MEDIUM 5.4

Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

6th

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.

Vendor	unknown
Product	popup box
Published	Apr 7, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for unknown popup box

Be the first to know when new medium vulnerabilities affecting unknown popup box are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Popup Box

0 < 5.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/

Credits

Spider Sec Ltd WPScan