CVE-2025-15611: WordPress XSS in Popup Box Plugin (≤5.5.0)
Platform
wordpress
Component
ays-popup-box
Fixed in
5.5.0
5.5.1
CVE-2025-15611 represents a stored Cross-Site Scripting (XSS) vulnerability affecting the Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress. Successful exploitation allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to user session hijacking or defacement. This vulnerability impacts versions of the plugin up to 5.5.0. A patch is available in version 5.5.0.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The Stored Cross-Site Scripting (XSS) vulnerability in the 'Popup Box – Create Countdown, Coupon, Video, Contact Form Popups' plugin allows unauthenticated attackers to inject malicious scripts into WordPress pages. These scripts will execute whenever a user accesses the compromised page, potentially leading to cookie theft, redirection to malicious websites, or modification of page content. The CVSS score of 7.2 indicates a medium-high risk, meaning exploitation is relatively easy and the impact can be significant. Insufficient user input sanitization and lack of output escaping are the root causes of this vulnerability. This affects websites utilizing the plugin where attackers can manipulate input fields to insert JavaScript code.
Exploitation Context
An attacker could exploit this vulnerability by injecting malicious JavaScript code through plugin input fields, such as text fields in popup configurations. This code will be stored in the database and executed every time a user visits the page displaying the popup. The lack of authentication means the attacker doesn't need access to the WordPress admin panel to exploit the vulnerability. Exploitation is more effective on high-traffic websites, increasing the likelihood of the malicious script executing on multiple users.
Threat Intelligence
Exploit Status
EPSS
0.02% (6% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Package Information
- Active installs
- 50KKnown
- Plugin rating
- 4.6
- Requires WordPress
- 4.0+
- Compatible up to
- 7.0
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The solution to this vulnerability is to update the 'Popup Box – Create Countdown, Coupon, Video, Contact Form Popups' plugin to version 5.5.0 or higher. This update includes the necessary fixes to prevent malicious script injection. Additionally, regularly review plugin settings to ensure available security options are utilized. Implementing a Content Security Policy (CSP) can help mitigate the impact of an XSS attack, even if the update isn't immediate. Monitoring server logs for suspicious activity is also a good practice to detect and respond to potential attacks.
How to fix
Update to version 5.5.0, or a newer patched version
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-15611 — Cross-Site Scripting (XSS) in Popup Box – Create Countdown, Coupon, Video, Contact Form Popups?
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into legitimate websites. These scripts execute in the user's browser, potentially allowing the attacker to steal sensitive information or perform actions on behalf of the user.
Am I affected by CVE-2025-15611 in Popup Box – Create Countdown, Coupon, Video, Contact Form Popups?
If you are using a version of the 'Popup Box' plugin prior to 5.5.0, you are likely affected. Review your server logs for suspicious activity.
How do I fix CVE-2025-15611 in Popup Box – Create Countdown, Coupon, Video, Contact Form Popups?
CVSS (Common Vulnerability Scoring System) is a standard for assessing the severity of security vulnerabilities. A score of 7.2 indicates a medium-high risk.
Is CVE-2025-15611 being actively exploited?
CSP is an additional layer of security that allows website administrators to define which resources (such as scripts, images, and styles) can be loaded on a web page. This helps prevent XSS attacks by restricting the execution of unauthorized scripts.
Where can I find the official Popup Box – Create Countdown, Coupon, Video, Contact Form Popups advisory for CVE-2025-15611?
If you suspect your website has been compromised, immediately update the plugin to the latest version, scan your website for malware, and consider consulting a security professional for assistance.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.