EUVD-2025-209259

| CVE-2025-15611 MEDIUM
2026-04-07 WPScan GHSA-86pc-m9xh-3jg9
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
PoC Detected
Apr 09, 2026 - 19:43 vuln.today
Public exploit code
Analysis Generated
Apr 07, 2026 - 06:45 vuln.today
EUVD ID Assigned
Apr 07, 2026 - 06:45 euvd
EUVD-2025-209259
CVE Published
Apr 07, 2026 - 06:00 nvd
MEDIUM 5.4

Tags

WordPress CSRF SSRF

Description

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.

Analysis

Cross-Site Request Forgery in Popup Box WordPress plugin before 5.5.0 allows authenticated admins to be tricked into creating or modifying popups containing arbitrary JavaScript via missing nonce validation in the add_or_edit_popupbox() function. While the CVSS score of 5.4 reflects moderate severity, the EPSS score of 0.02% (6th percentile) indicates very low real-world exploitation probability despite publicly available proof-of-concept code, suggesting this vulnerability requires precise social engineering to be actionable in practice.

Technical Context

The vulnerability stems from insufficient CSRF token validation in WordPress plugin development. The add_or_edit_popupbox() function processes popup creation and modification without properly validating nonces, which are WordPress's primary defense against cross-site request forgery attacks. Nonces are cryptographic tokens generated per-admin-session that must be verified before processing state-changing requests. The affected Popup Box plugin (CPE: cpe:2.3:a:unknown:popup_box:*:*:*:*:*:*:*:*) fails to implement this validation, allowing an attacker to craft a malicious webpage that, when visited by an authenticated WordPress administrator, silently submits requests to create or edit popups with malicious JavaScript payloads. These payloads execute within the admin panel context during creation and on the frontend for site visitors, creating a secondary attack surface.

Affected Products

Popup Box WordPress plugin in all versions from 0 up to and including 5.4.x is affected (EUVD-2025-209259). The vulnerability is resolved in version 5.5.0 and later. Organizations running Popup Box below version 5.5.0 should treat this as applicable regardless of the exact minor version.

Remediation

Update Popup Box to version 5.5.0 or later immediately, which includes proper nonce validation in the add_or_edit_popupbox() function. WordPress administrators should navigate to Plugins > Installed Plugins, locate Popup Box, and click Update if available, or use the WordPress auto-update feature if enabled. For organizations unable to update immediately, restrict administrative access to trusted networks and educate admins to avoid clicking suspicious links while logged into WordPress. Verify the update by checking Administration > Plugins and confirming the version is 5.5.0+. Additional details and the vendor advisory are available via NVD (https://nvd.nist.gov/vuln/detail/CVE-2025-15611) and the WPScan vulnerability database (https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/).

Priority Score

47
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: +20

Share

EUVD-2025-209259 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy