CVE-2025-69021

The Popup box plugin by Ays Pro (WordPress) versions up to and including 6.0.7 contain a Cross-Site Request Forgery (CSRF) vulnerability. The flaw lies in the insufficiently validates requests, allowing an attacker to craft malicious actions that are executed under the authentication of a higher privileged user [1] privileged user.

Exploitation requires the attacker to trick a privileged user (such as an admin) into clicking a crafted link or submitting a form while authenticated. This can be achieved via social engineering or embedding the malicious request in content the victim views. The attack does not require direct network access to the server but relies on user interaction [1].

If successful, an attacker can force the victim's browser to perform unwanted administrative actions, such as modifying plugin settings or creating new accounts, under the victim's current session. This can lead to unauthorized changes within the WordPress installation [1].

Users are advised to update the plugin to version 6.0.8 or later, which resolves the vulnerability. Patchstack users can enable auto-updates for vulnerable plugins. The vendor considers this a low-severity issue unlikely to be mass-exploited, but updating is recommended as a security best practice [1].