Description
Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Scripting (XSS) is present in the WordPress Popup box plugin for versions 6.2.9 and earlier. Input supplied by an unauthenticated attacker via a publicly accessible parameter is reflected in the page without proper sanitization, allowing the attacker to execute arbitrary JavaScript in the victim’s browser. This flaw, identified as CWE‑79, can lead to session hijacking, defacement, or data exfiltration.

Affected Systems

The vulnerability affects installations of the Ays Pro Popup box plugin for WordPress that are running version 6.2.9 or earlier. Any site that has not applied the 6.3.0 update remains susceptible.

Risk and Exploitability

The CVSS score of 7.1 signals a high severity, as the vulnerability allows an attacker to compromise user sessions and the integrity of the website. With the EPSS score unavailable and no listing in the CISA KEV catalog, it is unclear how frequently the flaw is being exploited in the wild, but the attack vector is straightforward: an unauthenticated attacker can craft a malicious request to a publicly exposed parameter and have the payload reflected and executed on the page viewed by other users.

Generated by OpenCVE AI on June 18, 2026 at 13:59 UTC.

Remediation

Vendor Solution

Update the WordPress Popup box Plugin to the latest available version (at least 6.3.0).


OpenCVE Recommended Actions

  • Update the WordPress Popup box plugin to version 6.3.0 or later.
  • If the update cannot be applied immediately, disable or remove the plugin from pages until the fix is installed.
  • Configure a web application firewall or similar security layer to detect and block reflected XSS attempts against the plugin’s input parameters.
  • Monitor site logs and browser console for unexpected JavaScript execution as an additional sign of exploitation.

Generated by OpenCVE AI on June 18, 2026 at 13:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro popup Box
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro popup Box
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions.
Title WordPress Popup box plugin <= 6.2.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Ays-pro Popup Box
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:12:50.807Z

Reserved: 2026-06-12T09:15:46.417Z

Link: CVE-2026-54192

cve-icon Vulnrichment

Updated: 2026-06-17T12:12:37.515Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')