Cross-Site Request Forgery Vulnerability in Popup Box Plugin for WordPress
CVE-2026-1165

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Popup Box – Create Countdown, Coupon, Video, Contact Form Popups
Vendor: CVE Published:; 31 January 2026

What is CVE-2026-1165?

The Popup Box plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to an issue in its nonce verification process within the 'publish_unpublish_popupbox' function. This vulnerability allows attackers to alter the publication status of popups by tricking an administrator into executing a forged request, bypassing security mechanisms. Affected versions include all versions up to 6.1.1. Proper nonce verification is essential to mitigate this risk and secure web applications against unauthorized actions.

Affected Version(s)

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups * <= 6.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ays-popup-box/...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 31, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Bui Van Y

CVE-2026-1165 Data

JSON