Cross-Site Request Forgery Vulnerability in Popup Box Plugin for WordPress
CVE-2025-15611

Currently unrated

Key Information:

Vendor: WordPress
Status: Popup Box
Vendor: CVE Published:; 7 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-15611?

The Popup Box WordPress plugin versions prior to 5.5.0 have a critical vulnerability where nonces are not properly validated in the add_or_edit_popupbox() function. This flaw permits unauthenticated attackers to execute Cross-Site Request Forgery attacks. If an admin inadvertently visits a compromised site, the attacker gains the ability to create or modify popups, injecting arbitrary JavaScript that executes both in the admin interface and on the site's frontend. This can result in significant security risks, including unauthorized access and data manipulation.

Affected Version(s)

Popup Box 0 < 5.5.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-15611 - Proof of Concept

References

https://wpscan.com/vulnerability/089ea763-2421-4089-a220-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 7, 2026
👾
Exploit known to exist
Apr 7, 2026
Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 16, 2026

Credit

Spider Sec Ltd

WPScan

CVE-2025-15611 Data

JSON