The Popup Box plugin for WordPress is vulnerable to Cross‑Site Request Forgery in all versions up to and including 6.1.1. A flawed nonce implementation in the function responsible for publishing and unpublishing popups verifies a self‑created value instead of the nonce supplied in the HTTP request. This omission allows an unauthenticated third party to alter the publish status of popups through a forged request. Because the change can be performed without authentication, the plugin's configuration can be modified by an attacker, potentially enabling them to inject or expose unintended content.

The vulnerability affects the ays‑pro Popup Box plugin, available for WordPress sites. Versions from the initial release through 6.1.1 are impacted. The plugin was updated to 6.1.2 in September 2026 to address the flaw, so any site using 6.1.1 or earlier is at risk. All WordPress installations that rely on this plugin for countdowns, coupons, videos, or contact forms fall under the affected scope.

The CVSS score of 4.3 reflects low to medium severity, and the EPSS indicates a very low probability of exploitation as of the last update. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires the attacker to convince a site administrator to load a crafted link or form, so the attack vector is social engineering combined with CSRF. If an admin is deceived, the attacker could toggle popups between published and unpublished states, potentially disrupting marketing workflows or exposing unwanted content. Overall, the risk is low to moderate, but for sites that rely heavily on popups for revenue or branding, updating the plugin mitigates the risk entirely.