Popup Box AYS Pro < 5.5.0 – Admin+ Stored Cross-Site Scripting (XSS) via CSRF | CVE 2025-15611 | Plugin Vulnerabilities

Description

The plugin does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.

Proof of Concept

1. Create an HTML page with an auto-submitting form targeting https://target.com/wp-admin/admin.php?page=ays-pb&action=add
2. Include a payload in the ays-pb[popup_description] field: <script>alert(1)</script>
3. Trick an authenticated admin into visiting the malicious page
4. The popup is created with the XSS payload stored in the database

Affects Plugins

Fixed in 5.5.0

References

CVE

URL

https://spider-security.co.uk/csrf-to-xss-vulnerability-in-wordpress-plugin-with-50000-installs/

URL

https://spider-security.co.uk/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Spider Sec Ltd

Submitter

Spider Sec Ltd

Submitter website

https://spider-security.co.uk

Verified

Yes

WPVDB ID

089ea763-2421-4089-a220-251421f7f226

Timeline

Publicly Published

2026-03-17 (about 23 days ago)

Added

2026-03-17 (about 22 days ago)

Last Updated

2026-03-17 (about 22 days ago)

Other

Published

Title

Published

2025-08-05

Title

WP Tournament Registration <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via field Parameter

Published

2014-08-01

Title

Elegant Grunge 1.0.3 - s Parameter XSS

Published

2024-09-30

Title

The Pack Elementor addons < 2.0.9 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2025-07-20

Title

Simple Stripe Checkout <= 1.1.28 - Reflected Cross-Site Scripting

Published

2025-11-24

Title

Telegram Bot & Channel < 4.1.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username