Description
Administrator SQL Injection in Popup box <= 6.0.1 versions.
Published: 2026-06-26
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an administrative‑level SQL Injection in the WordPress Popup box plugin version 6.0.1 and earlier. Because the plugin concatenates unsanitized user input into SQL statements, an attacker with administrative rights could inject arbitrary SQL, potentially accessing or altering sensitive database contents. This flaw falls under CWE‑89.

Affected Systems

The affected product is Ays Pro:Popup box, versions up to and including 6.0.1. No other vendors or product variants are listed.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity risk, and while EPSS data is not available, the lack of listing in CISA’s KEV catalog suggests no confirmed field‑wide exploitation yet. The likely attack vector is through the plugin’s administrative interface, requiring the attacker to have WordPress administrative privileges or to compromise an administrative account. Once an attacker gains such access, the injection can lead to data exposure, modification, or potential privilege escalation within the WordPress environment.

Generated by OpenCVE AI on June 26, 2026 at 16:56 UTC.

Remediation

Vendor Solution

Update the WordPress Popup box Plugin to the latest available version (at least 6.0.2).

OpenCVE Recommended Actions

  • Update the WordPress Popup box plugin to version 6.0.2 or later
  • Restrict WordPress administrative access to trusted users and consider locking the site’s admin area during the update
  • If an immediate update is not possible, disable the Popup box plugin until a patched version is deployed

Generated by OpenCVE AI on June 26, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro popup Box
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro popup Box
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Administrator SQL Injection in Popup box <= 6.0.1 versions.
Title WordPress Popup box plugin <= 6.0.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Ays-pro Popup Box
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T16:39:06.326Z

Reserved: 2026-06-25T08:03:10.451Z

Link: CVE-2026-57631

cve-icon Vulnrichment

Updated: 2026-06-26T16:39:02.172Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:15:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')