Popup Box
Monthly
Reflected cross-site scripting in the Ays Pro Popup Box WordPress plugin versions 6.2.9 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS 7.1 score reflects scope change (S:C) typical of XSS escaping the plugin context into the broader WordPress session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in the Ays Pro Popup Box WordPress plugin versions 6.2.9 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS 7.1 score reflects scope change (S:C) typical of XSS escaping the plugin context into the broader WordPress session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.