CVE-2025-24711

Vulnerability

Overview

CVE-2025-24711 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Popup Box plugin for WordPress, developed by Wow-Company. The plugin is used to create and manage popup boxes on websites. The vulnerability affects all versions up to and including 3.2.4. The root cause lies in the lack of CSRF protection mechanisms, which would normally require a unique token for state-changing requests. Without this protection, the plugin accepts requests that appear to come from an authenticated administrator without verifying their origin [1].

Exploitation

Requirements

Exploitation requires that a privileged user (e.g., an administrator) is tricked into performing an action such as clicking a malicious link or visiting a specially crafted web page while they are logged into their WordPress dashboard. An attacker cannot directly modify the plugin's settings without this user interaction, but by crafting a cross-site request they can force the victim's browser to execute unwanted actions under the victim's current session and authentication [1].

Impact

Successful exploitation could allow an attacker to force a higher-privileged user (typically an administrator) to perform unintended actions, such as changing plugin settings, creating new popups with malicious content, or other configuration changes. This could lead to further attacks including stored cross-site scripting or defacement, depending on the plugin's features. The CVSS v3 score of 5.4 reflects a medium severity, with the need for user interaction slightly reducing the risk [1].

Mitigation

The vulnerability has been addressed in Popup Box version 3.2.5. Users are strongly advised to update the plugin to this latest version immediately. Patchstack users can enable auto-updates for vulnerable plugins. For those unable to update promptly, it is recommended to ask a hosting provider or web developer for assistance, or to temporarily disable the plugin until the update can be applied [1].