cleantalk
Vulnerabilities and Security Researches

Popup Box – Best WordPress Popup Plugin, CVE-2026-1165

CVE, Research URL

CVE-2026-1165

Home page URL

Security reports for Popup Box – Best WordPress Popup Plugin

Application

Popup Box – Best WordPress Popup Plugin

Published on
Jan 31, 2026
Research Description
The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions
max 6.1.2.
Status
vulnerable
Previous vulnerability researches
Popup Box – Best WordPress Popup Plugin (CVE-2024-37096) , Jun 24, 2024
Popup Box – Best WordPress Popup Plugin (CVE-2026-54192) , Jun 19, 2026
Popup Box – Best WordPress Popup Plugin (CVE-2024-9599) , May 19, 2025
Popup Box – Best WordPress Popup Plugin (f76ca70e36e5617655fc90029c18e6f94ba010fc) , Jun 16, 2026
Popup Box – Best WordPress Popup Plugin (bd2e0643-c83b-4ca6-9332-66e4c49252ba) , Jun 16, 2026
New vulnerability
WP Travel Gutenberg Blocks (CVE-2026-54808) , Jun 19, 2026
BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support (CVE-2026-12157) , Jun 19, 2026
Advanced Import : One Click Import for WordPress or Theme Demo Data (CVE-2026-4328) , Jun 19, 2026
Falang multilanguage for WordPress (CVE-2026-54805) , Jun 19, 2026
SMS Alert Order Notifications – WooCommerce (CVE-2026-54803) , Jun 19, 2026