Popup Box

popup_box

Vendor: Ays Pro • 10 CVEs

CVEs (10)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-15611 1Ays Pro 1Popup Box Apr 9, 2026 Apr 7, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery att...Show more The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.Show less
CVE-2024-9599 1Ays Pro 1Popup Box Jun 4, 2025 May 15, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered...Show more The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).Show less
CVE-2023-6591 1Ays Pro 1Popup Box Nov 21, 2024 Feb 12, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Popup Box WordPress plugin before 20.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is di...Show more The Popup Box WordPress plugin before 20.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowedShow less
CVE-2023-5874 1Ays Pro 1Popup Box Nov 21, 2024 Dec 4, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_...Show more The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)Show less
CVE-2023-5809 1Ays Pro 1Popup Box Nov 21, 2024 Dec 4, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_...Show more The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)Show less
CVE-2023-5343 1Ays Pro 1Popup Box Nov 21, 2024 Nov 20, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is dis...Show more The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.Show less
CVE-2023-4390 1Ays Pro 1Popup Box Apr 23, 2025 Oct 31, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html ca...Show more The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).Show less
CVE-2023-27414 1Ays Pro 1Popup Box Nov 21, 2024 Jun 21, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Popup Box Team Popup box plugin <= 3.4.4 versions.
CVE-2021-24460 1Ays Pro 1Popup Box Nov 21, 2024 Aug 2, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB c...Show more The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboardShow less
CVE-2021-24458 1Ays Pro 1Popup Box Nov 21, 2024 Aug 2, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_res...Show more The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboardShow less