EUVD-2025-209259
GHSA-86pc-m9xh-3jg9
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.
AnalysisAI
Cross-Site Request Forgery in Popup Box WordPress plugin before 5.5.0 allows authenticated admins to be tricked into creating or modifying popups containing arbitrary JavaScript via missing nonce validation in the add_or_edit_popupbox() function. While the CVSS score of 5.4 reflects moderate severity, the EPSS score of 0.02% (6th percentile) indicates very low real-world exploitation probability despite publicly available proof-of-concept code, suggesting this vulnerability requires precise social engineering to be actionable in practice.
Technical ContextAI
The vulnerability stems from insufficient CSRF token validation in WordPress plugin development. The add_or_edit_popupbox() function processes popup creation and modification without properly validating nonces, which are WordPress's primary defense against cross-site request forgery attacks. Nonces are cryptographic tokens generated per-admin-session that must be verified before processing state-changing requests. The affected Popup Box plugin (CPE: cpe:2.3:a:unknown:popup_box:*:*:*:*:*:*:*:*) fails to implement this validation, allowing an attacker to craft a malicious webpage that, when visited by an authenticated WordPress administrator, silently submits requests to create or edit popups with malicious JavaScript payloads. These payloads execute within the admin panel context during creation and on the frontend for site visitors, creating a secondary attack surface.
RemediationAI
Update Popup Box to version 5.5.0 or later immediately, which includes proper nonce validation in the add_or_edit_popupbox() function. WordPress administrators should navigate to Plugins > Installed Plugins, locate Popup Box, and click Update if available, or use the WordPress auto-update feature if enabled. For organizations unable to update immediately, restrict administrative access to trusted networks and educate admins to avoid clicking suspicious links while logged into WordPress. Verify the update by checking Administration > Plugins and confirming the version is 5.5.0+. Additional details and the vendor advisory are available via NVD (https://nvd.nist.gov/vuln/detail/CVE-2025-15611) and the WPScan vulnerability database (https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/).
More from same product – last 7 days
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un
Share
External POC / Exploit Code
Leaving vuln.today