CVE-2025-57931
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 5.5.4.
Analysis
Cross-site request forgery in Ays Pro Popup box WordPress plugin versions up to 5.5.4 allows attackers to perform unauthorized actions (such as modifying plugin settings or creating popups) on behalf of authenticated administrators without their knowledge or consent. The vulnerability requires victim interaction (clicking a malicious link while logged in) but carries low exploitation probability (EPSS 0.02%, percentile 4%), suggesting limited real-world attack pressure despite the theoretical risk.
Technical Context
This is a CSRF vulnerability (CWE-352) affecting the Ays Pro Popup box WordPress plugin, which handles popup creation and management. CSRF flaws occur when web applications fail to implement proper anti-forgery tokens (such as nonces in WordPress) in state-changing requests. The vulnerability indicates that sensitive plugin actions lack adequate CSRF protections, allowing an attacker to craft malicious HTML or JavaScript that, when visited by a logged-in administrator, will execute unwanted operations against the plugin without the user's explicit consent. WordPress uses nonce mechanisms to prevent CSRF; absence or improper validation of nonces in this plugin's admin handlers is the root cause.
Affected Products
Ays Pro Popup box (WordPress plugin) versions from an unspecified baseline through 5.5.4 are affected. The exact earliest vulnerable version is not documented in available data. The plugin is identified by CPE data relating to WordPress plugins and is hosted on the WordPress plugin repository. Patch Stack database reference: https://patchstack.com/database/Wordpress/Plugin/ays-popup-box/vulnerability/wordpress-popup-box-plugin-5-5-4-cross-site-request-forgery-csrf-vulnerability
Remediation
Update Ays Pro Popup box to version 5.5.5 or later, which includes CSRF protections via proper nonce validation. Site administrators should navigate to the WordPress plugin dashboard, locate Ays Pro Popup box in the installed plugins list, and click 'Update' if available. If automatic updates are not enabled, download the latest version from the WordPress plugin repository and upload it manually. After patching, verify that popup management functions (creating, editing, deleting popups) require manual confirmation and are no longer susceptible to cross-origin requests. As a temporary mitigation for sites unable to patch immediately, restrict admin access via Web Application Firewall (WAF) rules or IP allowlisting, though this does not remediate the underlying vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today