The flaw lies in the Popup Box WordPress plugin, where the add_or_edit_popupbox() function does not properly validate nonces before saving popup data. This defect permits an attacker to perform a cross‑site request forgery that injects arbitrary JavaScript into a popup. The injected script runs with the privileges of the site administrator when the admin visits a malicious page and also executes on the public front‑end, allowing an attacker to deface the site, steal data, or hijack sessions.

WordPress sites running the Popup Box plugin (identified as ays‑pro:popup_box) at any version prior to 5.5.0 are vulnerable. The plugin is distributed as a WordPress plugin; specific vendor branding is not provided, but the affected product is the 'Popup Box' plugin. If the site uses older versions of this plugin, it is impacted.

Scored 5.4 on the CVSS v3.1 framework, indicating a moderate impact. The EPSS score of less than 1 percent suggests low to moderate likelihood of exploitation. The vulnerability is not listed on the CISA KEV catalog, implying no known widespread exploitation. Exploitation requires an attacker to trick an authenticated administrator into viewing a malicious URL that triggers nonce‑unchecked saves of a popup. Once triggered, the attacker can inject arbitrary JavaScript into the popup which executes in the admin panel and on the front page. The threat is moderated by the necessity of a target admin account and the need for the admin to visit the malicious page.