Description
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Popup Box popup-box allows Cross Site Request Forgery.This issue affects Popup Box: from n/a through <= 3.2.4.
Published: 2025-01-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery (CSRF) flaw in Wow‑Company Popup Box allows an attacker to trick an authenticated user into executing unwanted actions on the WordPress site. The vulnerability exists because the plugin fails to verify a unique, per‑session token on sensitive requests, enabling an attacker to craft a malicious link that will perform the action the user has permission to do.

Affected Systems

The affected product is the Wow‑Company Popup Box WordPress plugin, versions up to and including 3.2.4. Any WordPress installation that has this plugin with a vulnerable version is at risk.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests low overall exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog, and it requires that the threat actor obtain a link that the victim visits while authenticated. Once that occurs, the attacker can trigger privileged actions on the victim’s behalf with little additional effort.

Generated by OpenCVE AI on May 1, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Popup Box plugin to version 3.2.5 or later, which removes the CSRF flaw.
  • If an immediate update is not possible, temporarily deactivate or uninstall the plugin to eliminate the exposure.
  • Restrict administrative access to the site, monitor login activity, and consider deploying a Web Application Firewall to add an extra layer of protection against CSRF attempts.

Generated by OpenCVE AI on May 1, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3903 Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Popup Box allows Cross Site Request Forgery. This issue affects Popup Box: from n/a through 3.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Popup Box allows Cross Site Request Forgery. This issue affects Popup Box: from n/a through 3.2.4. Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Popup Box popup-box allows Cross Site Request Forgery.This issue affects Popup Box: from n/a through <= 3.2.4.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Popup Box allows Cross Site Request Forgery. This issue affects Popup Box: from n/a through 3.2.4.
Title WordPress Popup Box Plugin <= 3.2.4 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Wow-company Popup Box
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:32.751Z

Reserved: 2025-01-23T14:52:31.177Z

Link: CVE-2025-24711

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:44.330

Modified: 2026-04-23T15:25:20.693

Link: CVE-2025-24711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:45:15Z

Weaknesses