Vulnerabilities and security researches forays-popup-box ays-popup-box
Direction: descendingJun 19, 2026
Popup Box – Best WordPress Popup Plugin # CVE-2026-54192
- CVE, Research URL
- Application
- Date
- Jun 17, 2026
- Research Description
- Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions.
- Affected versions
-
max 6.3.0.
- Status
-
vulnerable
Jun 16, 2026
Popup Box – Best WordPress Popup Plugin # f76ca70e36e5617655fc90029c18e6f94ba010fc
- CVE, Research URL
- Application
- Date
- Nov 13, 2023
- Research Description
- Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 3.8.7 Popup Box <= 3.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 3.8.7 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- Affected versions
-
max 3.8.7.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # bd2e0643-c83b-4ca6-9332-66e4c49252ba
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 2.3.4 Multiple Plugins from AYS Pro - Reflected Cross-Site Scripting (XSS) The plugins did not properly sanitise and escape some GET parameters before outputting them back in attributes, leading to reflected Cross-Site Scripting issues which will be executed in the context of a logged in administrator
- Affected versions
-
max 2.3.4.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # dbba8c2356e5b6608eff09535d320a3bfe966feb
- CVE, Research URL
- Application
- Date
- Aug 29, 2023
- Research Description
- Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 3.7.2 Popup Box <= 3.7.1 - Authenticated(Administrator+) Stored Cross-Site Scripting The Popup Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- Affected versions
-
max 3.7.2.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # 338f55f75f3e66c5ae9bd54cbbeeef403af7e933
- CVE, Research URL
- Application
- Date
- Aug 31, 2023
- Research Description
- Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 3.7.2 WordPress Popup box Plugin < 3.7.2 is vulnerable to Cross Site Scripting (XSS) Update the WordPress Popup box plugin to the latest available version (at least 3.7.2). Unknown discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Popup box Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.7.2.
- Affected versions
-
max 3.7.2.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # 1569f01e8a0747bada01dc9aea9cfb5493bafe4c
- CVE, Research URL
- Application
- Date
- Jun 29, 2021
- Research Description
- Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 2.3.4 Popup box <= 2.3.3 - Cross-Site Scripting The Popup box plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 2.3.4.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # 27b24aa5e164574a90ca3d13653f3826d127d7bb
- CVE, Research URL
- Application
- Date
- Aug 18, 2023
- Research Description
- Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 3.7.1 Popup Box <= 3.7.0 - Authenticated(Administrator+) Stored Cross-Site Scripting The Popup Box plugin is for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_html’ parameter in versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- Affected versions
-
max 3.7.1.
- Status
-
vulnerable
Apr 14, 2026
Popup Box – Best WordPress Popup Plugin # CVE-2026-1165
- CVE, Research URL
- Application
- Date
- Jan 31, 2026
- Research Description
- The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
- Affected versions
-
max 6.1.2.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2025-15611
- CVE, Research URL
- Application
- Date
- Apr 07, 2026
- Research Description
- The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.
- Affected versions
-
max 5.5.0.
- Status
-
vulnerable
Jan 27, 2026
Popup Box – Best WordPress Popup Plugin # CVE-2025-69021
- CVE, Research URL
- Application
- Date
- Dec 30, 2025
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7.
- Affected versions
-
max 6.0.8.
- Status
-
vulnerable
May 19, 2025
Popup Box – Best WordPress Popup Plugin # CVE-2024-9599
- CVE, Research URL
- Application
- Date
- May 16, 2025
- Research Description
- The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
- Affected versions
-
max 4.7.8.
- Status
-
vulnerable
Nov 16, 2024
Popup Box – Best WordPress Popup Plugin # CVE-2024-10861
- CVE, Research URL
- Application
- Date
- Nov 16, 2024
- Research Description
- The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.
- Affected versions
-
max 4.9.8.
- Status
-
vulnerable
Jun 24, 2024
Popup Box – Best WordPress Popup Plugin # CVE-2024-37096
- CVE, Research URL
- Application
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in Popup Box Team Popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup box: from n/a through 4.5.1.
- Affected versions
-
max 4.5.2.
- Status
-
vulnerable
Jun 07, 2024
Popup Box – Best WordPress Popup Plugin # CVE-2023-5343
- CVE, Research URL
- Application
- Date
- Nov 21, 2023
- Research Description
- The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
- Affected versions
-
max 3.7.9.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2021-24458
- CVE, Research URL
- Application
- Date
- Aug 02, 2021
- Research Description
- The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
- Affected versions
-
max 2.3.4.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2023-27414
- CVE, Research URL
- Application
- Date
- Jun 21, 2023
- Research Description
- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Popup Box Team Popup box plugin <= 3.4.4 versions.
- Affected versions
-
max 3.4.5.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2023-4390
- CVE, Research URL
- Application
- Date
- Oct 31, 2023
- Research Description
- The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
- Affected versions
-
max 3.7.2.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2023-5809
- CVE, Research URL
- Application
- Date
- Dec 05, 2023
- Research Description
- The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
- Affected versions
-
max 3.8.6.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2024-3897
- CVE, Research URL
- Application
- Date
- May 02, 2024
- Research Description
- The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_pb_create_author AJAX action in all versions up to, and including, 4.3.6. This makes it possible for unauthenticated attackers to enumerate all emails registered on the website.
- Affected versions
-
max 4.3.7.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2024-34367
- CVE, Research URL
- Application
- Date
- May 07, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Popup Box Team Popup box allows Cross-Site Scripting (XSS).This issue affects Popup box: from n/a through 4.1.2.
- Affected versions
-
max 4.1.3.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2023-5874
- CVE, Research URL
- Application
- Date
- Dec 05, 2023
- Research Description
- The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
- Affected versions
-
max 3.8.6.
- Status
-
vulnerable
Popup Box – Best WordPress Popup Plugin # CVE-2023-6591
- CVE, Research URL
- Application
- Date
- Feb 12, 2024
- Research Description
- The Popup Box WordPress plugin before 20.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
- Affected versions
-
max 3.9.0.
- Status
-
vulnerable