Skip to main content

Ays Pro Popup CVE-2025-57931

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-10-29 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Oct 29, 2025 - 04:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 5.5.4.

AnalysisAI

Cross-site request forgery in Ays Pro Popup box WordPress plugin versions up to 5.5.4 allows attackers to perform unauthorized actions (such as modifying plugin settings or creating popups) on behalf of authenticated administrators without their knowledge or consent. The vulnerability requires victim interaction (clicking a malicious link while logged in) but carries low exploitation probability (EPSS 0.02%, percentile 4%), suggesting limited real-world attack pressure despite the theoretical risk.

Technical ContextAI

This is a CSRF vulnerability (CWE-352) affecting the Ays Pro Popup box WordPress plugin, which handles popup creation and management. CSRF flaws occur when web applications fail to implement proper anti-forgery tokens (such as nonces in WordPress) in state-changing requests. The vulnerability indicates that sensitive plugin actions lack adequate CSRF protections, allowing an attacker to craft malicious HTML or JavaScript that, when visited by a logged-in administrator, will execute unwanted operations against the plugin without the user's explicit consent. WordPress uses nonce mechanisms to prevent CSRF; absence or improper validation of nonces in this plugin's admin handlers is the root cause.

Affected ProductsAI

Ays Pro Popup box (WordPress plugin) versions from an unspecified baseline through 5.5.4 are affected. The exact earliest vulnerable version is not documented in available data. The plugin is identified by CPE data relating to WordPress plugins and is hosted on the WordPress plugin repository. Patch Stack database reference: https://patchstack.com/database/Wordpress/Plugin/ays-popup-box/vulnerability/wordpress-popup-box-plugin-5-5-4-cross-site-request-forgery-csrf-vulnerability

RemediationAI

Update Ays Pro Popup box to version 5.5.5 or later, which includes CSRF protections via proper nonce validation. Site administrators should navigate to the WordPress plugin dashboard, locate Ays Pro Popup box in the installed plugins list, and click 'Update' if available. If automatic updates are not enabled, download the latest version from the WordPress plugin repository and upload it manually. After patching, verify that popup management functions (creating, editing, deleting popups) require manual confirmation and are no longer susceptible to cross-origin requests. As a temporary mitigation for sites unable to patch immediately, restrict admin access via Web Application Firewall (WAF) rules or IP allowlisting, though this does not remediate the underlying vulnerability.

Share

CVE-2025-57931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy