Popup Box

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.

Published: 2026-04-07T06:00:09.736Z
Updated: 2026-04-07T16:25:37.703Z

The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: 2025-05-15T20:07:21.676Z
Updated: 2025-05-16T20:37:17.878Z

The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_pb_create_author AJAX action in all versions up to, and including, 4.3.6. This makes it possible for unauthenticated attackers to enumerate all emails registered on the website.

Published: 2024-05-02T16:52:48.240Z
Updated: 2026-04-08T17:30:18.726Z

The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.

Published: 2024-11-16T02:02:31.802Z
Updated: 2026-04-08T17:20:23.454Z

The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: 2023-12-04T21:28:13.541Z
Updated: 2024-11-21T19:21:06.239Z

The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: 2023-12-04T21:29:58.534Z
Updated: 2024-08-02T08:14:24.307Z

The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Published: 2023-11-20T18:55:12.772Z
Updated: 2024-09-09T18:15:08.326Z

The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Published: 2023-10-31T13:54:45.161Z
Updated: 2025-04-23T16:10:06.020Z

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Popup Box Team Popup box plugin <= 3.4.4 versions.

Published: 2023-06-21T13:27:47.982Z
Updated: 2026-04-28T16:08:12.915Z

The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Published: 2021-08-02T10:32:06.000Z
Updated: 2024-08-03T19:35:19.691Z

The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Published: 2021-08-02T10:32:03.000Z
Updated: 2024-08-03T19:35:18.675Z