[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4VyA6QePCsOLeRp6-yipxqFShxOZo-DIuCMazykdhPg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2025-15611","popup-box-create-countdown-coupon-video-contact-form-popups-unauthenticated-stored-cross-site-scripting","Popup Box – Create Countdown, Coupon, Video, Contact Form Popups \u003C 5.5.0 - Unauthenticated Stored Cross-Site Scripting","The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","ays-popup-box",null,"\u003C5.5.0","5.5.0","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-08 00:00:00","2026-04-13 21:11:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0b658052-f283-4a47-a440-dbd7acded186?source=api-prod",6,[22,23,24,25],"admin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php","ays-pb.php","includes\u002Fclass-ays-pb-data.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2025-15611 (Popup Box Plugin)\n\n## 1. Vulnerability Summary\nThe **Popup Box – Create Countdown, Coupon, Video, Contact Form Popups** plugin for WordPress is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)** in versions up to and including **5.4.9**. \n\nThe vulnerability exists because the plugin registers a handler for popup creation and updates on the `admin_init` hook (via the `Ays_Pb_Admin` class). This handler includes the file `admin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php`, which processes `$_POST` data to save popup configurations. Crucially, this file and the underlying saving method fail to verify **nonces** or **user capabilities** before performing database operations. Since `admin_init` is triggered for all requests to `\u002Fwp-admin\u002Fadmin-ajax.php` (even for unauthenticated users), any visitor can modify existing popups or create new ones containing malicious JavaScript.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php` (or any admin URL that triggers `admin_init`).\n- **HTTP Method**: `POST` (with optional `GET` parameters for ID targeting).\n- **Authentication**: None (Unauthenticated).\n- **Vulnerable Parameters**: \n - `ays_pb_title`\n - `ays_pb_description`\n - `ays_pb_content`\n - Any field within the `options` JSON structure processed by `add_or_edit_popupbox()`.\n- **Preconditions**: The plugin must be active. To overwrite an existing popup, the attacker needs its ID (usually starts at 1 and increments).\n\n## 3. Code Flow\n1. **Entry Point**: A request is made to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2. **Hook Trigger**: WordPress fires the `admin_init` hook.\n3. **Plugin Handler**: The plugin's admin class (likely `Ays_Pb_Admin`) has a method hooked to `admin_init`.\n4. **Partial Inclusion**: This method includes `admin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php` (confirmed in source).\n5. **Vulnerable Logic**:\n - `ays-pb-admin-actions.php` checks if `isset($_POST['ays_submit'])`.\n - It captures the popup ID from `$_GET['popupbox']` and assigns it to `$_POST['id']`.\n - It calls `$this->popupbox_obj->add_or_edit_popupbox()`.\n6. **Data Sink**: `add_or_edit_popupbox()` (in `includes\u002Fclass-ays-pb-admin.php`, inferred) takes the raw `$_POST` data and saves it to the `{wpdb_prefix}ays_pb` table.\n7. **Rendering**: When an admin views the popup list or a user visits a page where the popup is displayed, the unsanitized title or content is rendered, executing the injected script.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe provided source file `admin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php` explicitly checks for the presence of `$_POST['ays_submit']` but contains no calls to `check_admin_referer()` or `wp_verify_nonce()`. \n\n```php\n\u002F\u002F admin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php\n\nif (isset($_POST['ays_submit']) || isset($_POST['ays_submit_top'])) {\n $_POST['id'] = $id;\n $this->popupbox_obj->add_or_edit_popupbox();\n}\n```\n\n## 5. Exploitation Strategy\nThe exploit will perform an unauthenticated `POST` request to `\u002Fwp-admin\u002Fadmin-ajax.php` to overwrite an existing popup with a malicious payload.\n\n### Step-by-Step Plan:\n1. **Identify Popup ID**: Popups typically start with ID `1`. We will target `popupbox=1`.\n2. **Craft Payload**: A standard XSS payload `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n3. **Execute HTTP Request**: Use `http_request` to send the payload.\n\n### HTTP Request Details:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php?popupbox=1`\n- **Method**: `POST`\n- **Headers**:\n - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n - `ays_submit: 1`\n - `ays_pb_title: Malicious Popup`\n - `ays_pb_content: \u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n - `ays_pb_description: Stored XSS`\n\n## 6. Test Data Setup\nBefore executing the exploit, ensure at least one popup exists.\n```bash\n# Use WP-CLI to insert a dummy popup record into the database\nwp db query \"INSERT INTO \\$(wp db prefix)ays_pb (title, content, options) VALUES ('Safe Popup', 'Normal Content', '{}')\"\n```\n\n## 7. Expected Results\n- The HTTP response from `admin-ajax.php` might be a redirect (302) or a success message (depending on how `add_or_edit_popupbox` handles the redirect).\n- The database record for popup ID 1 will be updated with the malicious payload.\n- Navigating to the admin page `wp-admin\u002Fadmin.php?page=ays-pb` will trigger the XSS.\n\n## 8. Verification Steps\nAfter the exploit, verify the database state using WP-CLI:\n```bash\n# Check if the title was modified\nwp db query \"SELECT title, content FROM \\$(wp db prefix)ays_pb WHERE id=1\" --format=table\n```\n\n## 9. Alternative Approaches\nIf overwriting an existing ID fails (e.g., if ID 1 doesn't exist):\n1. **ID Discovery**: Iterate `popupbox=X` from 1 to 20.\n2. **Creation Attempt**: Try omitting the `popupbox` parameter in the `GET` query. If `add_or_edit_popupbox()` handles null IDs by creating a new record, the payload will be stored in a new popup.\n3. **Field Variation**: Some versions of the plugin might store the content inside the `options` JSON. If `ays_pb_content` doesn't work, try injecting into the `options` parameter:\n - Body: `ays_submit=1&options={\"ays_pb_content\":\"\u003Cscript>alert(1)\u003C\u002Fscript>\"}` (URL encoded).","The Popup Box plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) because it processes popup save requests on the admin_init hook without verifying nonces or user capabilities. Attackers can remotely modify or create popups containing malicious JavaScript, which executes when site visitors or administrators view the affected pages or the plugin's dashboard.","\u002F\u002F admin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php line 6\nif (isset($_POST['ays_submit']) || isset($_POST['ays_submit_top'])) {\n $_POST['id'] = $id;\n $this->popupbox_obj->add_or_edit_popupbox();\n}\n\nif (isset($_POST['ays_apply']) || isset($_POST['ays_apply_top'])) {\n $_POST['id'] = $id;\n $_POST['submit_type'] = 'apply';\n $this->popupbox_obj->add_or_edit_popupbox();\n}\n\n---\n\n\u002F\u002F admin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php line 8704 (example of unsanitized JS output)\n$(document).find(ays_pb_view_type + ' .desc').html($(\"#\u003C?php echo esc_attr($this->plugin_name); ?>-popup_description\").val());","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-popup-box\u002F5.4.9\u002Fadmin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php\t2025-08-19 06:38:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fays-popup-box\u002F5.5.0\u002Fadmin\u002Fpartials\u002Factions\u002Fays-pb-admin-actions.php\t2025-08-26 07:00:26.000000000 +0000\n@@ -4,11 +4,19 @@\n $ays_pb_tab = isset($_GET['ays_pb_tab']) ? sanitize_text_field($_GET['ays_pb_tab']) : 'tab1';\n \n if (isset($_POST['ays_submit']) || isset($_POST['ays_submit_top'])) {\n+ \u002F\u002F CSRF protection: verify nonce and referer before processing\n+ if ( ! isset($_POST['pb_action']) || ! check_admin_referer( 'pb_action', 'pb_action' ) ) {\n+ wp_die( 'Invalid request.' );\n+ }\n $_POST['id'] = $id;\n $this->popupbox_obj->add_or_edit_popupbox();\n }\n \n if (isset($_POST['ays_apply']) || isset($_POST['ays_apply_top'])) {\n+ \u002F\u002F CSRF protection: verify nonce and referer before processing\n+ if ( ! isset($_POST['pb_action']) || ! check_admin_referer( 'pb_action', 'pb_action' ) ) {\n+ wp_die( 'Invalid request.' );\n+ }\n $_POST['id'] = $id;\n $_POST['submit_type'] = 'apply';\n $this->popupbox_obj->add_or_edit_popupbox();\n@@ -8693,7 +8701,7 @@\n 'background-size' : pb_bg_image_sizing,\n 'background-position' : pb_bg_image_position\n });\n- $(document).find(ays_pb_view_type + ' .desc').html($(\"#\u003C?php echo esc_attr($this->plugin_name); ?>-popup_description\").val());\n+ $(document).find(ays_pb_view_type + ' .desc').text($(\"#\u003C?php echo esc_attr($this->plugin_name); ?>-popup_description\").val());\n $(document).find(ays_pb_view_type + ' .ays_title').html( pbTitle );\n $(document).find(\"#ays-pb-close-button-text\").on('change', function () {\n if($(\"#ays-pb-close-button-text\").val() == '✕'){","To exploit this vulnerability, an unauthenticated attacker needs to send a crafted POST request to the WordPress admin-ajax.php endpoint. Because the plugin's save logic is triggered by the 'admin_init' hook (which fires even for unauthenticated requests to certain admin scripts) and fails to check for nonces or administrative privileges, the attacker can overwrite existing popups or create new ones. The payload should include 'ays_submit=1' and a malicious script in parameters like 'ays_pb_title' or 'ays_pb_content'. If targeting an existing popup, the 'popupbox' GET parameter should be set to the target's ID. Once saved, the injected script will execute when the popup is rendered on the front end or in the admin preview.","gemini-3-flash-preview","2026-04-17 20:11:54","2026-04-17 20:12:48",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","5.4.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-popup-box\u002Ftags\u002F5.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-popup-box.5.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-popup-box\u002Ftags\u002F5.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fays-popup-box.5.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fays-popup-box\u002Ftags"]