{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32428", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:30.946Z", "datePublished": "2026-03-13T11:42:17.541Z", "dateUpdated": "2026-04-29T09:51:59.116Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ays-facebook-popup-likebox", "product": "Popup Like box", "vendor": "Ays Pro", "versions": [{"changes": [{"at": "3.7.8", "status": "unaffected"}], "lessThanOrEqual": "3.7.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:16.739Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Popup Like box: from n/a through <= 3.7.7.</p>"}], "value": "Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Like box: from n/a through <= 3.7.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.116Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ays-facebook-popup-likebox/vulnerability/wordpress-popup-like-box-plugin-3-7-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Popup Like box plugin <= 3.7.7 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T17:52:43.883690Z", "id": "CVE-2026-32428", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T17:53:07.918Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32428", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T17:52:43.883690Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T17:51:04.536Z"}}], "cna": {"title": "WordPress Popup Like box plugin <= 3.7.7 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Ays Pro", "product": "Popup Like box", "versions": [{"status": "affected", "changes": [{"at": "3.7.8", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.7.7"}], "packageName": "ays-facebook-popup-likebox", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:20.980Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ays-facebook-popup-likebox/vulnerability/wordpress-popup-like-box-plugin-3-7-7-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Like box: from n/a through <= 3.7.7.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Popup Like box: from n/a through <= 3.7.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:17.541Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32428", "state": "PUBLISHED", "dateUpdated": "2026-03-13T17:53:07.918Z", "dateReserved": "2026-03-12T11:11:30.946Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:17.541Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Like box: from n/a through <= 3.7.7."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Ays Pro Popup Like box ays-facebook-popup-likebox permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Popup Like box: desde n/a hasta &lt;= 3.7.7."}], "id": "CVE-2026-32428", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:55:01.463", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ays-facebook-popup-likebox/vulnerability/wordpress-popup-like-box-plugin-3-7-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.7.8,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Popup Like box", "source": "cna", "vendor": "Ays Pro"}, "product": "popup_like_box", "vendor": "ays-pro"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:16:40.669484+00:00", "value": {"mitigation_remediation": ["Update the Ays Pro Popup Like box plugin to the latest version (>=3.7.8 if available).", "If an update cannot be applied immediately, temporarily disable the plugin to prevent exploitation. ", "Monitor the vendor\u2019s security advisories and contact support for a patch date."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "This issue affects all releases of the Ays Pro Popup Like box plugin through version\u202f3.7.7 (inclusive). The affected product is the WordPress plugin Ays Pro:Popup Like box (ays\u2011facebook\u2011popup\u2011likebox) and any site that has installed this plugin with a version equal to or lower than\u202f3.7.7.", "description_and_impact": "The Ays Pro Popup Like box plugin contains a missing authorization flaw that allows attackers to bypass built\u2011in access controls. This vulnerability is identified as CWE\u2011862 and enables unauthenticated or minimally privileged users to modify the plugin\u2019s configuration or view protected data. If exploited, an attacker could change settings, inject content, or otherwise disrupt the intended operation of the WordPress site.", "risk_and_exploitability": "CVSS score of 5.3 indicates a moderate severity. EPSS is less than 1\u202f%, suggesting that at present, exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves authenticated web requests to the plugin\u2019s endpoints because the flaw stems from incorrectly configured access control checks. While the vulnerability could be used to alter configuration or gain unauthorized information, it does not appear to provide full remote code execution or privilege escalation beyond the plugin\u2019s scope."}}}}, "created": "2026-03-16T09:33:43.698750+00:00", "updated": "2026-03-23T12:03:36.269360+00:00", "vendors": ["ays-pro", "ays-pro$PRODUCT$popup_like_box", "wordpress", "wordpress$PRODUCT$wordpress"]}