CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24711 – WordPress Popup Box Plugin <= 3.2.4 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2025-24711
24 Jan 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Popup Box allows Cross Site Request Forgery. This issue affects Popup Box: from n/a through 3.2.4. The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into perfo... • https://patchstack.com/database/wordpress/plugin/popup-box/vulnerability/wordpress-popup-box-plugin-3-2-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3477 – Popup Box < 2.2.7 - Popup Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-3477
11 Apr 2024 — The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks El complemento Popup Box de WordPress anterior a 2.2.7 no tiene comprobaciones CSRF en algunas acciones masivas, lo que podría permitir a los atacantes hacer que los administradores registrados realicen acciones no deseadas, como eliminar ventanas emergentes mediante ataques CSRF. The Popup Box – ne... • https://wpscan.com/vulnerability/ca5e59e6-c500-4129-997b-391cdf9aa9c7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5809 – Popup box < 3.8.6 - Admin+ Stored XSS in Categories
https://notcve.org/view.php?id=CVE-2023-5809
13 Nov 2023 — The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Popup box de WordPress anterior a 3.8.6 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scri... • https://wpscan.com/vulnerability/f1eb05e8-1b7c-45b1-912d-f668bd68e265 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5874 – Popup box < 3.8.6 - Admin+ Stored XSS in Popup Settings
https://notcve.org/view.php?id=CVE-2023-5874
13 Nov 2023 — The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Popup box de WordPress anterior a 3.8.6 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scri... • https://wpscan.com/vulnerability/ebe3e873-1259-43b9-a027-daa4dbd937f3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5343 – Popup Box < 3.7.9 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-5343
27 Oct 2023 — The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. El complemento Popup box de WordPress anterior a 3.7.9 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como el administrador, realizar ataques de Cross Site Scripting incluso cuando unfiltered_html no está permitido. T... • https://wpscan.com/vulnerability/74613b38-48f2-43d5-bae5-25c89ba7db6e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4390 – Popup box < 3.7.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-4390
29 Aug 2023 — The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). El complemento Popup box de WordPress anterior a 3.7.2 no sanitiza ni escapa de algunos campos emergentes, lo que podría permitir a usuarios con altos privilegios, como un administrador, inyectar scripts web arbitrarios incluso cuand... • https://wpscan.com/vulnerability/9fd2eb81-185d-4d42-8acf-925664b7cb2f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 1CVE-2023-2362 – Multiple Plugins from Wow-Company - Reflected XSS
https://notcve.org/view.php?id=CVE-2023-2362
22 May 2023 — The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before 1.5.1, Counter Box WordPress plugin before 1.2.2, Floating Button WordPress plugin before 5.3.1, Herd Effects WordPress plugin before 5.2.2, Popup Box WordPress plugin before 2.2.2, Side Menu Lite WordPress plugin before 4.0.2, Sticky Buttons WordPress plugin before 3.1.1, Wow Skype Buttons WordPress plugin before 4.0.2, WP Coder ... • https://wpscan.com/vulnerability/27e70507-fd68-4915-88cf-0b96ed55208e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27414 – WordPress Popup box Plugin <= 3.4.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-27414
08 Mar 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Popup Box Team Popup box plugin <= 3.4.4 versions. The Popup box plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ays_pb_tab' parameter in versions up to, and including, 3.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Unauth. • https://patchstack.com/database/vulnerability/ays-popup-box/wordpress-popup-box-plugin-3-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29445 – WordPress Popup Box plugin <= 2.1.2 - Authenticated Local File Inclusion (LFI) vulnerability
https://notcve.org/view.php?id=CVE-2022-29445
17 May 2022 — Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress. Una vulnerabilidad de inclusión de archivos locales (LFI) autenticada (administrador o rol superior) en el plugin Popup Box de Wow-Company versiones anteriores a 2.1.2 incluyéndola, en WordPress • https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24458 – Popup box < 2.3.4 - Authenticated Blind SQL Injections
https://notcve.org/view.php?id=CVE-2021-24458
29 Jun 2021 — The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard Las funciones get_ays_popupboxes() y get_popup_categories() del plugin Popup box de WordPress versiones anteriores a 2.3.4, no usaban la lista blanca ni comprobaban el parámetro orderby antes de usarlo en las sentencias ... • https://wpscan.com/vulnerability/8a588266-54cd-4779-adcf-f9b9e226c297 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •