Unauthenticated XSS Vulnerability in Popup Box Plugin by WordPress
CVE-2026-54192

7.1HIGH

Key Information:

Vendor: WordPress
Status: Popup Box
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-54192?

The Popup Box plugin for WordPress has a vulnerability that allows attackers to inject arbitrary scripts without authentication. This flaw, present in all versions up to and including 6.2.9, can be exploited to execute malicious code when users interact with the affected elements of the plugin. It is crucial for users and administrators to take immediate action to secure their installations against potential exploitation.

Affected Version(s)

Popup box <= 6.2.9

References

https://patchstack.com/database/wordpress/plugin/ays-popu...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program

CVE-2026-54192 Data

JSON