| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Jun 24, 2026, 01:06:01 | Entries count: 22 | |||
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 24, 2024, 14:06:35 |
Min -
Max 4.5.2
|
Missing Authorization vulnerability in Popup Box Team Popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup box: from n/a through 4.5.1. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 19, 2026, 13:06:24 |
Min -
Max 6.3.0
|
Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
May 19, 2025, 11:05:52 |
Min -
Max 4.7.8
|
The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 16, 2026, 02:06:35 |
Min -
Max 3.8.7
|
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 3.8.7 Popup Box <= 3.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 3.8.7 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to i... | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 16, 2026, 02:06:35 |
Min -
Max 2.3.4
|
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 2.3.4 Multiple Plugins from AYS Pro - Reflected Cross-Site Scripting (XSS) The plugins did not properly sanitise and escape some GET parameters before outputting them back in attributes, leading to reflected Cross-Site Scripting issues which will be executed in the context of a logged in administrator | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 16, 2026, 02:06:35 |
Min -
Max 3.7.2
|
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 3.7.2 Popup Box <= 3.7.1 - Authenticated(Administrator+) Stored Cross-Site Scripting The Popup Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in ... | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 3.7.9
|
The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 2.3.4
|
The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 16, 2026, 02:06:35 |
Min -
Max 3.7.2
|
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 3.7.2 WordPress Popup box Plugin < 3.7.2 is vulnerable to Cross Site Scripting (XSS) Update the WordPress Popup box plugin to the latest available version (at least 3.7.2). Unknown discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Popup box Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your we... | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 3.4.5
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Popup Box Team Popup box plugin <= 3.4.4 versions. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 3.7.2
|
The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 3.8.6
|
The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 16, 2026, 02:06:35 |
Min -
Max 2.3.4
|
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 2.3.4 Popup box <= 2.3.3 - Cross-Site Scripting The Popup box plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an a... | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 4.3.7
|
The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_pb_create_author AJAX action in all versions up to, and including, 4.3.6. This makes it possible for unauthenticated attackers to enumerate all emails registered on the website. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 4.1.3
|
Cross-Site Request Forgery (CSRF) vulnerability in Popup Box Team Popup box allows Cross-Site Scripting (XSS).This issue affects Popup box: from n/a through 4.1.2. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 3.8.6
|
The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 16, 2026, 02:06:35 |
Min -
Max 3.7.1
|
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups [ays-popup-box] < 3.7.1 Popup Box <= 3.7.0 - Authenticated(Administrator+) Stored Cross-Site Scripting The Popup Box plugin is for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_html’ parameter in versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary... | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jun 07, 2024, 03:06:35 |
Min -
Max 3.9.0
|
The Popup Box WordPress plugin before 20.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Nov 16, 2024, 11:11:41 |
Min -
Max 4.9.8
|
The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Apr 14, 2026, 01:04:57 |
Min -
Max 6.1.2
|
The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Apr 14, 2026, 01:04:57 |
Min -
Max 5.5.0
|
The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend. | |
|
Popup Box – Best WordPress Popup Plugin
vulnerable
|
Jan 27, 2026, 18:01:00 |
Min -
Max 6.0.8
|
Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7. | |