Skip to main content

Popup Like Box EUVDEUVD-2026-11961

| CVE-2026-32428 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11961
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Like box: from n/a through <= 3.7.7.

AnalysisAI

Popup Like Box versions 3.7.7 and earlier contain an authorization bypass vulnerability that allows unauthenticated attackers to modify content through improperly configured access controls. The vulnerability affects the ays-facebook-popup-likebox plugin and requires no user interaction to exploit. While no patch is currently available, the impact is limited to integrity violations without affecting confidentiality or availability.

Technical ContextAI

This vulnerability stems from improper implementation of authorization checks in a WordPress plugin designed to embed Facebook Like boxes. The root cause is classified under CWE-862 (Missing Authorization), which occurs when the application fails to verify that the user attempting an action has the necessary permissions before executing sensitive operations. The affected plugin (cpe:2.3:a:ays-pro:ays-facebook-popup-likebox) is a server-side WordPress component that processes user requests to display and interact with Facebook social widgets. The missing authorization flaw likely exists in action handlers or AJAX endpoints that do not validate user roles, nonces, or capabilities before allowing modifications to plugin settings, popup configurations, or Like box parameters. Since this is a WordPress plugin vulnerability, the attack surface includes WordPress administrative APIs and publicly accessible plugin endpoints that may not require authentication by default.

RemediationAI

Immediately upgrade the Ays Pro Popup Like box plugin to the latest version available beyond 3.7.7, which should include authorization controls and proper capability checks. Check the official Ays Pro plugin repository or WordPress.org for the patched release. If a patched version is not yet available, consider temporarily disabling the plugin until a fix is released. As a workaround, restrict access to the WordPress administrative backend using IP whitelisting, Web Application Firewall (WAF) rules blocking unauthenticated requests to plugin endpoints, or a reverse proxy that enforces authentication. Additionally, ensure WordPress security best practices are followed: maintain up-to-date WordPress core and all plugins, use security plugins to monitor for unauthorized changes to site settings, and implement WordPress nonces and capability checks via custom code if modifying the plugin directly. Monitor plugin changelogs and security advisories from Ays Pro for patch release announcements.

Share

EUVD-2026-11961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy