Popup Box < 6.1.2 – Cross-Site Request Forgery to Popup Status Change | CVE 2026-1165 | Plugin Vulnerabilities

Description

The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.

Affects Plugins

Fixed in 6.1.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

w41bu1

Verified

No

WPVDB ID

b10d7c83-8c8d-4ff0-8927-0643f7d12322

Timeline

Publicly Published

2026-01-30 (about 3 months ago)

Added

2026-01-31 (about 3 months ago)

Last Updated

2026-01-31 (about 3 months ago)

Other

Published

Title

Published

2022-05-23

Title

Core Control <= 1.2.1 - Arbitrary Settings Update via CSRF

Published

2025-04-09

Title

Easyfonts < 1.1.3 - Cross-Site Request Forgery

Published

2022-05-31

Title

Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF

Published

2023-02-28

Title

Responsive Vertical Icon Menu < 1.5.9 - Theme Deletion via CSRF

Published

2023-03-29

Title

Wp Ultimate Review < 2.1.0 - Settings Update via CSRF