CVE-2025-15611

Published Apr 7, 2026

Last updated 2 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-15611 describes a Cross-Site Request Forgery (CSRF) vulnerability found in the Popup Box WordPress plugin, affecting versions prior to 5.5.0. The flaw originates from the `add_or_edit_popupbox()` function's failure to adequately validate nonces before saving popup data. This vulnerability enables unauthenticated attackers to execute CSRF attacks. If an authenticated administrator visits a specially crafted malicious page, the attacker can exploit this to create or modify popups containing arbitrary JavaScript. This malicious JavaScript then executes within both the WordPress administration panel and the website's frontend.

Description: The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.
Source: contact@wpscan.com
NVD status: Analyzed
Products: popup_box

Risk scores

CVSS 3.1

Type: Secondary
Base score: 5.4
Impact score: 2.7
Exploitability score: 2.3
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-918

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ays-pro:popup_box:*:*:*:*:*:wordpress:*:*",
            "matchCriteriaId": "BEED5733-F8BB-4B2B-B0C1-C849505A712C",
            "versionEndExcluding": "5.5.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.