{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68526", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-19T10:17:03.706Z", "datePublished": "2026-02-20T15:46:39.001Z", "dateUpdated": "2026-04-28T20:00:20.623Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "modal-popup-box", "product": "Modal Popup Box", "vendor": "A WP Life", "versions": [{"changes": [{"at": "1.6.2", "status": "unaffected"}], "lessThanOrEqual": "1.6.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:31.973Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Modal Popup Box modal-popup-box allows Object Injection.<p>This issue affects Modal Popup Box: from n/a through <= 1.6.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in A WP Life Modal Popup Box modal-popup-box allows Object Injection.This issue affects Modal Popup Box: from n/a through <= 1.6.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:29.479Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/modal-popup-box/vulnerability/wordpress-modal-popup-box-plugin-1-6-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Modal Popup Box plugin <= 1.6.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:05:00.835594Z", "id": "CVE-2025-68526", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:00:20.623Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T21:05:00.835594Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:04:57.576Z"}}], "cna": {"title": "WordPress Modal Popup Box plugin <= 1.6.1 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "A WP Life", "product": "Modal Popup Box", "versions": [{"status": "affected", "changes": [{"at": "1.6.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.1"}], "packageName": "modal-popup-box", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:31.973Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/modal-popup-box/vulnerability/wordpress-modal-popup-box-plugin-1-6-1-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Modal Popup Box modal-popup-box allows Object Injection.This issue affects Modal Popup Box: from n/a through <= 1.6.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Modal Popup Box modal-popup-box allows Object Injection.<p>This issue affects Modal Popup Box: from n/a through <= 1.6.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:12:09.155Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68526", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:12:09.155Z", "dateReserved": "2025-12-19T10:17:03.706Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:39.001Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Modal Popup Box modal-popup-box allows Object Injection.This issue affects Modal Popup Box: from n/a through <= 1.6.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en A WP Life Modal Popup Box modal-popup-box permite la inyecci\u00f3n de objetos. Este problema afecta a Modal Popup Box: desde n/a hasta &lt;= 1.6.1."}], "id": "CVE-2025-68526", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:10.837", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/modal-popup-box/vulnerability/wordpress-modal-popup-box-plugin-1-6-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Modal Popup Box", "source": "cna", "vendor": "A WP Life"}, "product": "modal_popup_box", "vendor": "a_wp_life"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:40:15.330950+00:00", "value": {"mitigation_remediation": ["Upgrade Modal Popup Box to version 1.6.2 or later, which contains a patch for the deserialization flaw.", "If the plugin is not essential, remove it completely from the WordPress installation to eliminate the attack surface.", "Disable or tighten any plugin settings that allow external data to be stored or processed, ensuring that only trusted sources can submit data."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The A WP Life:Modal Popup Box plugin, specifically the Modal Popup Box component, is affected in all versions up to and including 1.6.1. No other product or version information is supplied in the data.", "description_and_impact": "The vulnerability is a PHP Object Injection vulnerability caused by deserialization of untrusted data. Exploiting it could allow an attacker to create malicious PHP objects that are later unserialized by the plugin, potentially leading to remote code execution on the server. The flaw is identified as CWE\u2011502, which signals that insecure deserialization can compromise data integrity and confidentiality.", "risk_and_exploitability": "This is a high severity flaw with a CVSS score of 8.8, indicating significant potential impact. The EPSS score is below 1%, suggesting that the exploitation likelihood is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely an unauthenticated remote input that can be sent to the plugin\u2019s data processing endpoint, though the exact method is not explicitly detailed."}}}}, "created": "2026-02-23T14:45:27.750056+00:00", "updated": "2026-04-27T20:45:12.711214+00:00", "vendors": ["a_wp_life", "a_wp_life$PRODUCT$modal_popup_box", "wordpress", "wordpress$PRODUCT$wordpress"]}