Plattform
wordpress
Komponente
ays-popup-box
Behoben in
6.0.8
CVE-2025-69021 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Ays Pro Popup box WordPress plugin. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account without their knowledge. The issue impacts versions from 0.0.0 through 6.0.7, and a fix is available in version 6.0.8.
A successful CSRF attack could allow an attacker to modify popup box settings, create new popups with malicious content, or perform other actions as the logged-in user. This could lead to defacement of the website, redirection of users to malicious sites, or the injection of phishing content. The blast radius is limited to the scope of actions that can be performed through the plugin's interface, but the potential for user compromise remains significant. Given the plugin's popularity, a wide range of WordPress sites could be vulnerable.
As of the publication date (2025-12-30), there is no indication of active exploitation of CVE-2025-69021. No public proof-of-concept (PoC) code has been released. The vulnerability is currently listed with a MEDIUM severity based on the CVSS score. It is not currently listed on the CISA KEV catalog.
WordPress websites using the Ays Pro Popup box plugin, particularly those running versions 0.0.0 through 6.0.7, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may not be immediately updated when a vulnerability is disclosed.
• wordpress / composer / npm:
grep -r 'ays-popup-box/ays-popup-box.php' /var/www/html/
wp plugin list | grep 'Ays Pro Popup Box'• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/ays-popup-box/ays-popup-box.php | grep -i 'ays-popup-box'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the Ays Pro Popup box plugin to version 6.0.8 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious CSRF tokens. Specifically, look for requests originating from unexpected origins or with unusual parameters. Additionally, ensure that all users are educated about the risks of clicking on links from untrusted sources. After upgrade, confirm by reviewing the plugin's settings and verifying that no unauthorized changes have been made.
Update to version 6.0.8, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-69021 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Ays Pro Popup box versions 0.0.0–6.0.7, allowing attackers to perform unauthorized actions.
You are affected if your WordPress site uses Ays Pro Popup box version 0.0.0 through 6.0.7. Check your plugin version and upgrade if necessary.
Upgrade the Ays Pro Popup box plugin to version 6.0.8 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
As of the publication date, there is no evidence of active exploitation of CVE-2025-69021.
Refer to the Ays Pro Popup box plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.