WordPress Plugin Vulnerabilities

Popup box < 6.0.8 - Cross-Site Request Forgery

Description

The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.7. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
ays-popup-box
Fixed in 6.0.8

References

CVE
CVE-2025-69021
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b843e8f7-e854-4572-9b1f-b1b27f752f07

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Doan Dinh Van (DinhVan52)
Verified
No
WPVDB ID
65e48fcf-e5c9-4490-a023-9327df5eab71

Timeline

Publicly Published
2025-12-28 (about 4 months ago)
Added
2026-01-06 (about 4 months ago)
Last Updated
2026-01-06 (about 4 months ago)

Other

Published
Title
Published
2023-02-28
Title
Smart YouTube PRO <= 4.3 - Cross-Site Request Forgery
Published
2024-04-22
Title
WPCal.io – Easy Meeting Scheduler < 0.9.5.9 - Cross-Site Request Forgery
Published
2023-05-16
Title
WP < 6.2.1 - Thumbnail Image Update via CSRF
Published
2023-06-16
Title
Galleria <= 1.0.3 - Cross-Site Request Forgery
Published
2025-06-05
Title
Print Invoice & Delivery Notes for WooCommerce < 5.6.0 - Cross-Site Request Forgery