The PopAd plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the PopAd_reset_cookie_time function. This makes it possible for unauthenticated attackers to reset cookie time settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Metrics
Affected Vendors & Products
References
History
Thu, 04 Sep 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 04 Sep 2025 13:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Wordpress
Wordpress wordpress |
|
Vendors & Products |
Wordpress
Wordpress wordpress |
Thu, 04 Sep 2025 09:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The PopAd plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the PopAd_reset_cookie_time function. This makes it possible for unauthenticated attackers to reset cookie time settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |
Title | PopAd <= 1.0.4 - Cross-Site Request Forgery to Settings Update | |
Weaknesses | CWE-352 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2025-09-04T14:26:54.162Z
Reserved: 2025-08-28T17:42:17.929Z
Link: CVE-2025-9616

Updated: 2025-09-04T14:26:51.650Z

Status : Awaiting Analysis
Published: 2025-09-04T10:42:35.773
Modified: 2025-09-04T15:35:29.497
Link: CVE-2025-9616

No data.

Updated: 2025-09-04T13:12:04Z