This vulnerability enables an attacker to perform cross‑site request forgery against the Ays Pro:Popup box plugin. By sending a forged request while a victim is authenticated to the site, the attacker can cause the plugin to execute privileged actions without the victim’s consent. The weakness is classified as CWE‑352, which results in the unauthorized modification of data or configuration and can lead to integrity violations such as unintended content changes, altered settings, or other side effects managed by the plugin.

The Ays Pro:Popup box WordPress plugin is affected in all releases from the initial version up to version 6.0.7 inclusive. No specific patch level is mentioned, so all installed instances of the plugin with a version not exceeding 6.0.7 are vulnerable.

The CVSS score of 5.4 indicates a moderate severity of the vulnerability. The EPSS score of less than 1% suggests that the likelihood of an exploit being observed in the wild is low, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation typically requires the victim to be authenticated to the WordPress site, making the threat primarily directioned at authenticated users – for example, an admin or a user with editing rights – rather than from a fully unauthenticated attacker. Because CSRF attacks usually rely on the victim’s session cookies, the risk is mitigated for unattended or tight‑screened environments but remains significant for sites with broad user bases or potentially compromised infrastructures.