Search criteria
4 vulnerabilities found for Popup Box – Create Countdown, Coupon, Video, Contact Form Popups by ays-pro
CVE-2026-1165 (GCVE-0-2026-1165)
Vulnerability from nvd – Published: 2026-01-31 14:22 – Updated: 2026-02-02 16:29
VLAI?
Title
Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change
Summary
The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups |
Affected:
* , ≤ 6.1.1
(semver)
|
Credits
Bui Van Y
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T16:25:09.893459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:29:04.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "6.1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bui Van Y"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the \u0027publish_unpublish_popupbox\u0027 function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T14:22:29.035Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3439514@ays-popup-box/tags/6.1.1/\u0026new=3444612@ays-popup-box/tags/6.1.2/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T01:31:18.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Box \u003c= 6.1.1 - Cross-Site Request Forgery to Popup Status Change"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1165",
"datePublished": "2026-01-31T14:22:29.035Z",
"dateReserved": "2026-01-19T01:15:36.466Z",
"dateUpdated": "2026-02-02T16:29:04.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10861 (GCVE-0-2024-10861)
Vulnerability from nvd – Published: 2024-11-16 02:02 – Updated: 2024-11-19 15:18
VLAI?
Title
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups <= 4.9.7 - Missing Authorization to Unauthenticated Limited Options Update
Summary
The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups |
Affected:
* , ≤ 4.9.7
(semver)
|
Credits
Trương Hữu Phúc (truonghuuphuc)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ays-pro:popup_box:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "popup_box",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "4.9.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T15:42:44.950135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T15:18:56.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "4.9.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the \u0027ays_pb_upgrade_plugin\u0027 option with arbitrary data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-16T02:02:31.802Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3717e03-9a18-48a1-97d3-1d41c7f93261?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/4.9.2/admin/class-ays-pb-admin.php#L609"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3188357/ays-popup-box/tags/4.9.8/admin/class-ays-pb-admin.php?old=3186262\u0026old_path=ays-popup-box%2Ftags%2F4.9.7%2Fadmin%2Fclass-ays-pb-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-15T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups \u003c= 4.9.7 - Missing Authorization to Unauthenticated Limited Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10861",
"datePublished": "2024-11-16T02:02:31.802Z",
"dateReserved": "2024-11-05T13:52:25.380Z",
"dateUpdated": "2024-11-19T15:18:56.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-1165 (GCVE-0-2026-1165)
Vulnerability from cvelistv5 – Published: 2026-01-31 14:22 – Updated: 2026-02-02 16:29
VLAI?
Title
Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change
Summary
The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups |
Affected:
* , ≤ 6.1.1
(semver)
|
Credits
Bui Van Y
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T16:25:09.893459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:29:04.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "6.1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bui Van Y"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the \u0027publish_unpublish_popupbox\u0027 function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T14:22:29.035Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3439514@ays-popup-box/tags/6.1.1/\u0026new=3444612@ays-popup-box/tags/6.1.2/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T01:31:18.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Box \u003c= 6.1.1 - Cross-Site Request Forgery to Popup Status Change"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1165",
"datePublished": "2026-01-31T14:22:29.035Z",
"dateReserved": "2026-01-19T01:15:36.466Z",
"dateUpdated": "2026-02-02T16:29:04.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10861 (GCVE-0-2024-10861)
Vulnerability from cvelistv5 – Published: 2024-11-16 02:02 – Updated: 2024-11-19 15:18
VLAI?
Title
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups <= 4.9.7 - Missing Authorization to Unauthenticated Limited Options Update
Summary
The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups |
Affected:
* , ≤ 4.9.7
(semver)
|
Credits
Trương Hữu Phúc (truonghuuphuc)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ays-pro:popup_box:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "popup_box",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "4.9.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T15:42:44.950135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T15:18:56.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "4.9.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the \u0027ays_pb_upgrade_plugin\u0027 option with arbitrary data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-16T02:02:31.802Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3717e03-9a18-48a1-97d3-1d41c7f93261?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/4.9.2/admin/class-ays-pb-admin.php#L609"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3188357/ays-popup-box/tags/4.9.8/admin/class-ays-pb-admin.php?old=3186262\u0026old_path=ays-popup-box%2Ftags%2F4.9.7%2Fadmin%2Fclass-ays-pb-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-15T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups \u003c= 4.9.7 - Missing Authorization to Unauthenticated Limited Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10861",
"datePublished": "2024-11-16T02:02:31.802Z",
"dateReserved": "2024-11-05T13:52:25.380Z",
"dateUpdated": "2024-11-19T15:18:56.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}