Attack Vectors
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups (slug: ays-popup-box) has a Medium severity vulnerability (CVSS 4.3, CVE-2026-1165) that can be exploited through Cross-Site Request Forgery (CSRF).
In practical terms, an attacker does not need to log in to your site to attempt this. Instead, they would try to trick an administrator (or another user with sufficient access) into taking an action such as clicking a link or visiting a page that silently triggers a forged request. If successful, that forged request can change the publish status of popups.
Security Weakness
The issue stems from a flawed security check in the plugin’s publish_unpublish_popupbox function. The plugin validates a self-created nonce instead of verifying a nonce that is actually submitted with the request. This undermines the protection that is normally supposed to prevent forged actions initiated from outside your WordPress admin session.
Because the request can be forged and only needs an admin to be persuaded to interact with it, this vulnerability is classified as Medium risk: it relies on user interaction, but it can still enable real, business-relevant changes inside the site.
Technical or Business Impacts
The stated impact is an unauthorized change to the publish status of popups (for example, publishing or unpublishing popups). For marketing leaders and executives, this can translate into brand and revenue risk because popups often control high-visibility experiences like coupons, lead capture forms, countdowns, and promotional messaging.
Potential business impacts include campaign disruption (offers appearing or disappearing unexpectedly), conversion-rate volatility (lead capture forms disabled or replaced by the wrong message), customer trust issues (confusing or inconsistent promotions), and compliance concerns if popups support required notices or consent flows and their availability changes without authorization.
Similar Attacks
CSRF is a well-known web attack pattern where an attacker attempts to make a logged-in user’s browser perform an unwanted action. For general background and real-world context, these references cover CSRF and how it is abused:
OWASP: Cross-Site Request Forgery (CSRF)
PortSwigger Web Security Academy: CSRF
For this specific issue in Popup Box – Create Countdown, Coupon, Video, Contact Form Popups, see the official record: CVE-2026-1165.
Recent Comments