Description
Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Like box: from n/a through <= 3.7.7.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

The Ays Pro Popup Like box plugin contains a missing authorization flaw that allows attackers to bypass built‑in access controls. This vulnerability is identified as CWE‑862 and enables unauthenticated or minimally privileged users to modify the plugin’s configuration or view protected data. If exploited, an attacker could change settings, inject content, or otherwise disrupt the intended operation of the WordPress site.

Affected Systems

This issue affects all releases of the Ays Pro Popup Like box plugin through version 3.7.7 (inclusive). The affected product is the WordPress plugin Ays Pro:Popup Like box (ays‑facebook‑popup‑likebox) and any site that has installed this plugin with a version equal to or lower than 3.7.7.

Risk and Exploitability

CVSS score of 5.3 indicates a moderate severity. EPSS is less than 1 %, suggesting that at present, exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves authenticated web requests to the plugin’s endpoints because the flaw stems from incorrectly configured access control checks. While the vulnerability could be used to alter configuration or gain unauthorized information, it does not appear to provide full remote code execution or privilege escalation beyond the plugin’s scope.

Generated by OpenCVE AI on March 19, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ays Pro Popup Like box plugin to the latest version (>=3.7.8 if available).
  • If an update cannot be applied immediately, temporarily disable the plugin to prevent exploitation.
  • Monitor the vendor’s security advisories and contact support for a patch date.

Generated by OpenCVE AI on March 19, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro popup Like Box
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro popup Like Box
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Like box: from n/a through <= 3.7.7.
Title WordPress Popup Like box plugin <= 3.7.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Ays-pro Popup Like Box
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:15.159Z

Reserved: 2026-03-12T11:11:30.946Z

Link: CVE-2026-32428

cve-icon Vulnrichment

Updated: 2026-03-13T17:51:04.536Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:01.463

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:36Z

Weaknesses