Impact
Unauthenticated Cross Site Scripting (XSS) is present in the WordPress Popup box plugin for versions 6.2.9 and earlier. Input supplied by an unauthenticated attacker via a publicly accessible parameter is reflected in the page without proper sanitization, allowing the attacker to execute arbitrary JavaScript in the victim’s browser. This flaw, identified as CWE‑79, can lead to session hijacking, defacement, or data exfiltration.
Affected Systems
The vulnerability affects installations of the Ays Pro Popup box plugin for WordPress that are running version 6.2.9 or earlier. Any site that has not applied the 6.3.0 update remains susceptible.
Risk and Exploitability
The CVSS score of 7.1 signals a high severity, as the vulnerability allows an attacker to compromise user sessions and the integrity of the website. With the EPSS score unavailable and no listing in the CISA KEV catalog, it is unclear how frequently the flaw is being exploited in the wild, but the attack vector is straightforward: an unauthenticated attacker can craft a malicious request to a publicly exposed parameter and have the payload reflected and executed on the page viewed by other users.
OpenCVE Enrichment