{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15611", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-03-16T18:36:17.868Z", "datePublished": "2026-04-07T06:00:09.736Z", "dateUpdated": "2026-04-07T16:25:37.703Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-07T06:00:09.736Z"}, "title": "Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Popup Box", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "5.5.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend."}], "references": [{"url": "https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Spider Sec Ltd", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:25:20.160175Z", "id": "CVE-2025-15611", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:25:37.703Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-15611", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T16:25:20.160175Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:25:29.560Z"}}], "cna": {"title": "Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Spider Sec Ltd"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Popup Box", "versions": [{"status": "affected", "version": "0", "lessThan": "5.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-79 Cross-Site Scripting (XSS)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-07T06:00:09.736Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15611", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:25:37.703Z", "dateReserved": "2026-03-16T18:36:17.868Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-07T06:00:09.736Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ays-pro:popup_box:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "BEED5733-F8BB-4B2B-B0C1-C849505A712C", "versionEndExcluding": "5.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend."}], "id": "CVE-2025-15611", "lastModified": "2026-04-09T19:43:40.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T07:16:23.443", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.5.0)"}}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}]}, "original": {"product": "Popup Box", "source": "cna", "vendor": "Unknown"}, "product": "popup_box", "vendor": "popup_box"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T11:23:24.341163+00:00", "value": {"mitigation_remediation": ["Upgrade the Popup Box plugin to version 5.5.0 or later.", "If immediate upgrade is not possible, configure your web server or WordPress to block or restrict access to the plugin\u2019s configuration pages to only trusted IP addresses.", "Disable the Popup Box plugin entirely if it is not required for site functionality.", "Review existing pop\u2011ups for malicious content and delete any created by an attacker.", "Verify that the site\u2019s WordPress core and other plugins are up to date and that all administrative accounts use strong, unique passwords.", "Consider monitoring site traffic for unexpected POST requests to the plugin\u2019s edit endpoint to detect potential abuse."], "summary": {"action": "Apply Patch", "impact": "Stored XSS via CSRF allowing arbitrary JavaScript execution in the admin panel and site frontend"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Popup Box plugin (identified as ays\u2011pro:popup_box) at any version prior to 5.5.0 are vulnerable. The plugin is distributed as a WordPress plugin; specific vendor branding is not provided, but the affected product is the 'Popup Box' plugin. If the site uses older versions of this plugin, it is impacted.", "description_and_impact": "The flaw lies in the Popup Box WordPress plugin, where the add_or_edit_popupbox() function does not properly validate nonces before saving popup data. This defect permits an attacker to perform a cross\u2011site request forgery that injects arbitrary JavaScript into a popup. The injected script runs with the privileges of the site administrator when the admin visits a malicious page and also executes on the public front\u2011end, allowing an attacker to deface the site, steal data, or hijack sessions.", "risk_and_exploitability": "Scored 5.4 on the CVSS v3.1 framework, indicating a moderate impact. The EPSS score of less than 1 percent suggests low to moderate likelihood of exploitation. The vulnerability is not listed on the CISA KEV catalog, implying no known widespread exploitation. Exploitation requires an attacker to trick an authenticated administrator into viewing a malicious URL that triggers nonce\u2011unchecked saves of a popup. Once triggered, the attacker can inject arbitrary JavaScript into the popup which executes in the admin panel and on the front page. The threat is moderated by the necessity of a target admin account and the need for the admin to visit the malicious page."}}}}, "created": "2026-04-07T09:36:22.442935+00:00", "updated": "2026-04-13T14:27:16.443037+00:00", "vendors": ["popup_box", "popup_box$PRODUCT$popup_box", "wordpress", "wordpress$PRODUCT$wordpress"]}