Description
Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 5.5.4.
Published: 2025-10-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ays Pro Popup box plugin contains a CSRF vulnerability that permits attackers to forge requests on behalf of authenticated users. By crafting malicious URLs or embedding them in web pages, an attacker can trigger state‑changing operations performed by the plugin without the victim’s knowledge. This flaw is classified as CWE‑352 and can allow unauthorized configuration changes or content manipulation, compromising the integrity of the hosted site.

Affected Systems

Ays Pro Popup box plugin, versions from the initial release through 5.5.4 inclusive, is affected. No other vendors or product lines are listed in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS of <1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is browser‑based; an attacker must persuade a logged‑in administrator to visit a crafted link or embed the request in an innocuous page. Successful exploitation would allow an attacker to modify or delete popup content without authorization.

Generated by OpenCVE AI on April 29, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ays Pro Popup box plugin to version 5.5.5 or later where the CSRF issue is fixed.
  • If immediate upgrade is not possible, restrict the plugin’s administrative interfaces to authenticated sessions and block unauthenticated access.
  • Enable or configure the plugin’s CSRF protection mechanisms, such as nonce fields or referer validation, if supported; otherwise, implement a generic anti‑CSRF token on critical forms.

Generated by OpenCVE AI on April 29, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through 5.5.4. Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 5.5.4.
CPEs cpe:2.3:a:ays_pro:popup_box:*:*:*:*:*:*:*:*
Vendors & Products Ays Pro
Ays Pro popup Box
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Ays Pro
Ays Pro popup Box
CPEs cpe:2.3:a:ays_pro:popup_box:*:*:*:*:*:*:*:*
Vendors & Products Ays Pro
Ays Pro popup Box
References

Wed, 29 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro popup Box
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro popup Box
Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 04:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through 5.5.4.
Title WordPress Popup box plugin <= 5.5.4 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Ays-pro Popup Box
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:38.812Z

Reserved: 2025-08-22T11:36:24.370Z

Link: CVE-2025-57931

cve-icon Vulnrichment

Updated: 2025-10-29T14:05:09.769Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T04:15:52.820

Modified: 2026-04-23T15:33:03.293

Link: CVE-2025-57931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:30:22Z

Weaknesses