Platform
wordpress
Component
ays-popup-box
Fixed in
5.5.0
5.5.1
CVE-2025-15611 represents a stored Cross-Site Scripting (XSS) vulnerability affecting the Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress. Successful exploitation allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to user session hijacking or defacement. This vulnerability impacts versions of the plugin up to 5.5.0. A patch is available in version 5.5.0.
The Stored Cross-Site Scripting (XSS) vulnerability in the 'Popup Box – Create Countdown, Coupon, Video, Contact Form Popups' plugin allows unauthenticated attackers to inject malicious scripts into WordPress pages. These scripts will execute whenever a user accesses the compromised page, potentially leading to cookie theft, redirection to malicious websites, or modification of page content. The CVSS score of 7.2 indicates a medium-high risk, meaning exploitation is relatively easy and the impact can be significant. Insufficient user input sanitization and lack of output escaping are the root causes of this vulnerability. This affects websites utilizing the plugin where attackers can manipulate input fields to insert JavaScript code.
An attacker could exploit this vulnerability by injecting malicious JavaScript code through plugin input fields, such as text fields in popup configurations. This code will be stored in the database and executed every time a user visits the page displaying the popup. The lack of authentication means the attacker doesn't need access to the WordPress admin panel to exploit the vulnerability. Exploitation is more effective on high-traffic websites, increasing the likelihood of the malicious script executing on multiple users.
Exploit Status
EPSS
0.02% (6% percentile)
CVSS Vector
The solution to this vulnerability is to update the 'Popup Box – Create Countdown, Coupon, Video, Contact Form Popups' plugin to version 5.5.0 or higher. This update includes the necessary fixes to prevent malicious script injection. Additionally, regularly review plugin settings to ensure available security options are utilized. Implementing a Content Security Policy (CSP) can help mitigate the impact of an XSS attack, even if the update isn't immediate. Monitoring server logs for suspicious activity is also a good practice to detect and respond to potential attacks.
Update to version 5.5.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into legitimate websites. These scripts execute in the user's browser, potentially allowing the attacker to steal sensitive information or perform actions on behalf of the user.
If you are using a version of the 'Popup Box' plugin prior to 5.5.0, you are likely affected. Review your server logs for suspicious activity.
CVSS (Common Vulnerability Scoring System) is a standard for assessing the severity of security vulnerabilities. A score of 7.2 indicates a medium-high risk.
CSP is an additional layer of security that allows website administrators to define which resources (such as scripts, images, and styles) can be loaded on a web page. This helps prevent XSS attacks by restricting the execution of unauthorized scripts.
If you suspect your website has been compromised, immediately update the plugin to the latest version, scan your website for malware, and consider consulting a security professional for assistance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.