{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1165", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-19T01:15:36.466Z", "datePublished": "2026-01-31T14:22:29.035Z", "dateUpdated": "2026-04-08T16:54:35.031Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:35.031Z"}, "affected": [{"vendor": "ays-pro", "product": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "title": "Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3439514@ays-popup-box/tags/6.1.1/&new=3444612@ays-popup-box/tags/6.1.2/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bui Van Y"}], "timeline": [{"time": "2026-01-19T01:31:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T16:25:09.893459Z", "id": "CVE-2026-1165", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:29:04.500Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1165", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T16:25:09.893459Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:25:10.726Z"}}], "cna": {"title": "Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change", "credits": [{"lang": "en", "type": "finder", "value": "Bui Van Y"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ays-pro", "product": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-19T01:31:18.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3439514@ays-popup-box/tags/6.1.1/&new=3444612@ays-popup-box/tags/6.1.2/"}], "descriptions": [{"lang": "en", "value": "The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:35.031Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1165", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:35.031Z", "dateReserved": "2026-01-19T01:15:36.466Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-31T14:22:29.035Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}, {"lang": "es", "value": "El plugin Popup Box para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 6.1.1, inclusive. Esto se debe a una implementaci\u00f3n de nonce defectuosa en la funci\u00f3n 'publish_unpublish_popupbox' que verifica un nonce autocreado en lugar de uno enviado en la petici\u00f3n. Esto hace posible que atacantes no autenticados cambien el estado de publicaci\u00f3n de los popups a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1165", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-31T15:15:50.480", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3439514@ays-popup-box/tags/6.1.1/&new=3444612@ays-popup-box/tags/6.1.2/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:55:18.318395+00:00", "value": {"mitigation_remediation": ["Update Popup Box to version 6.1.2 or later to apply the CSRF fix.", "Restrict administrative access by limiting the ability to publish or unpublish popups to trusted users only.", "Monitor popup status logs for unexpected changes and review all plugin updates for similar security issues."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery allows an unauthenticated attacker to change popup publish status"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ays\u2011pro Popup Box plugin, available for WordPress sites. Versions from the initial release through 6.1.1 are impacted. The plugin was updated to 6.1.2 in September 2026 to address the flaw, so any site using 6.1.1 or earlier is at risk. All WordPress installations that rely on this plugin for countdowns, coupons, videos, or contact forms fall under the affected scope.", "description_and_impact": "The Popup Box plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery in all versions up to and including 6.1.1. A flawed nonce implementation in the function responsible for publishing and unpublishing popups verifies a self\u2011created value instead of the nonce supplied in the HTTP request. This omission allows an unauthenticated third party to alter the publish status of popups through a forged request. Because the change can be performed without authentication, the plugin's configuration can be modified by an attacker, potentially enabling them to inject or expose unintended content.", "risk_and_exploitability": "The CVSS score of 4.3 reflects low to medium severity, and the EPSS indicates a very low probability of exploitation as of the last update. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires the attacker to convince a site administrator to load a crafted link or form, so the attack vector is social engineering combined with CSRF. If an admin is deceived, the attacker could toggle popups between published and unpublished states, potentially disrupting marketing workflows or exposing unwanted content. Overall, the risk is low to moderate, but for sites that rely heavily on popups for revenue or branding, updating the plugin mitigates the risk entirely."}}}}, "created": "2026-02-02T09:26:41.205458+00:00", "updated": "2026-04-15T19:00:12.307651+00:00", "vendors": ["ays-pro", "ays-pro$PRODUCT$popup_box", "wordpress", "wordpress$PRODUCT$wordpress"]}