Skip to main content

Popup Box CVE-2026-54192

| EUVD-2026-37635 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
XSS Popup Box
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without authentication, requires victim click (UI:R), and crosses into the WordPress origin (S:C) with limited C/I/A impact via script execution.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:55 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions.

AnalysisAI

Reflected cross-site scripting in the Ays Pro Popup Box WordPress plugin versions 6.2.9 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS 7.1 score reflects scope change (S:C) typical of XSS escaping the plugin context into the broader WordPress session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running vulnerable Popup Box
Delivery
Craft malicious URL with XSS payload
Exploit
Phish WordPress admin with link
Execution
Victim clicks while authenticated
Persist
Script executes in WordPress origin
Impact
Steal session or create rogue admin
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a WordPress site running the Ays Pro Popup Box plugin at version 6.2.9 or below, (2) the attacker delivering a crafted URL to a victim who is currently authenticated to that WordPress site (UI:R - user must click the link), and (3) the victim's browser to execute JavaScript in the WordPress origin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L produces 7.1 (High), driven primarily by the scope change and unauthenticated network reach, offset by the required user interaction (clicking a crafted link). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL containing a malicious JavaScript payload in a parameter handled by the Popup Box plugin and delivers it via phishing email, forum post, or malvertising to a WordPress administrator. When the admin clicks the link while logged in, the script executes in the WordPress origin and can exfiltrate session cookies, perform CSRF-style actions, or inject a backdoored admin user. …
Remediation No vendor-released patch identified at time of analysis from the input data - site administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/ays-popup-box/vulnerability/wordpress-popup-box-plugin-6-2-9-reflected-cross-site-scripting-xss-vulnerability) and the Ays Pro Popup Box page on WordPress.org for the latest version above 6.2.9 and upgrade immediately once available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all WordPress installations using Ays Pro Popup Box version 6.2.9 or earlier and classify by business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54192 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy