Executive Summary

CVE-2025-15611 affects the WordPress plugin Popup Box AYS Pro versions prior to 5.5.0. The vulnerability occurs because the plugin does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data.

This flaw allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks that lead to stored Cross-Site Scripting (XSS). Specifically, when an authenticated administrator visits a maliciously crafted webpage, the attacker can create or modify popups containing arbitrary JavaScript code.

The malicious script is stored in the database and executed within both the WordPress admin panel and the frontend, compromising the site's security.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of the WordPress admin panel and frontend.

As a result, attackers can manipulate or create popups with malicious scripts, potentially leading to unauthorized actions, data theft, session hijacking, or further compromise of the website.

Because the attack requires an authenticated administrator to visit a malicious page, it exploits the trust relationship between the admin and the site.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if the Popup Box AYS Pro WordPress plugin version is prior to 5.5.0, as those versions are vulnerable.

A practical detection method involves checking for the presence of stored XSS payloads in the popup descriptions within the WordPress database, especially looking for suspicious JavaScript code such as <script>alert(1)</script>.

Additionally, a proof of concept involves creating an HTML page with an auto-submitting form targeting the URL: https://target.com/wp-admin/admin.php?page=ays-pb&action=add with a payload in the ays-pb[popup_description] field.

For command-line detection, you can check the installed plugin version using WP-CLI with the command: wp plugin list | grep popup-box or wp plugin get popup-box --field=version

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Popup Box AYS Pro WordPress plugin to version 5.5.0 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict access to the WordPress admin panel to trusted users only and avoid visiting untrusted or suspicious web pages while logged in as an administrator.

Additionally, consider scanning and cleaning any stored popups that may contain malicious JavaScript injected via this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery attacks that lead to stored Cross-Site Scripting (XSS), enabling arbitrary JavaScript execution in the WordPress admin panel and frontend. This security flaw can compromise the integrity and confidentiality of the website and its data.

Such a compromise could potentially lead to unauthorized access or manipulation of sensitive user data, which may affect compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Useful 0 Not Useful 0