Platform
wordpress
Component
ays-popup-box
Fixed in
6.0.8
CVE-2025-69021 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Ays Pro Popup box WordPress plugin. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account without their knowledge. The issue impacts versions from 0.0.0 through 6.0.7, and a fix is available in version 6.0.8.
A successful CSRF attack could allow an attacker to modify popup box settings, create new popups with malicious content, or perform other actions as the logged-in user. This could lead to defacement of the website, redirection of users to malicious sites, or the injection of phishing content. The blast radius is limited to the scope of actions that can be performed through the plugin's interface, but the potential for user compromise remains significant. Given the plugin's popularity, a wide range of WordPress sites could be vulnerable.
As of the publication date (2025-12-30), there is no indication of active exploitation of CVE-2025-69021. No public proof-of-concept (PoC) code has been released. The vulnerability is currently listed with a MEDIUM severity based on the CVSS score. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Ays Pro Popup box plugin to version 6.0.8 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious CSRF tokens. Specifically, look for requests originating from unexpected origins or with unusual parameters. Additionally, ensure that all users are educated about the risks of clicking on links from untrusted sources. After upgrade, confirm by reviewing the plugin's settings and verifying that no unauthorized changes have been made.
Update to version 6.0.8, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-69021 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Ays Pro Popup box versions 0.0.0–6.0.7, allowing attackers to perform unauthorized actions.
You are affected if your WordPress site uses Ays Pro Popup box version 0.0.0 through 6.0.7. Check your plugin version and upgrade if necessary.
Upgrade the Ays Pro Popup box plugin to version 6.0.8 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
As of the publication date, there is no evidence of active exploitation of CVE-2025-69021.
Refer to the Ays Pro Popup box plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.