Popup Box Security Vulnerabilities

CVE-2024-34367

Cross-Site Request Forgery (CSRF) vulnerability in Popup Box Team Popup box allows Cross-Site Scripting (XSS).This issue affects Popup box: from n/a through...

CVE-2024-3897

The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_pb_create_author AJAX action in all versions up to, and including, 4.3.6. This makes it possible for unauthenticated attackers to enumerate all....

CVE-2024-3477

The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF...

CVE-2024-31387

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Popup LikeBox Team Popup Like box allows Stored XSS.This issue affects Popup Like box: from n/a through...

CVE-2024-2008

The Modal Popup Box – Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of untrusted input in the awl_modal_popup_box_shortcode function. This makes it possible for authenticated...

CVE-2023-6591

The Popup Box WordPress plugin before 20.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is...

CVE-2023-5809

The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

CVE-2023-5874

The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

CVE-2023-5343

The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is...

CVE-2023-4390

The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite...

CVE-2023-27414

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Popup Box Team Popup box plugin <= 3.4.4...

CVE-2023-2362

The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before 1.5.1, Counter Box WordPress plugin before 1.2.2, Floating Button WordPress plugin before 5.3.1, Herd Effects...

CVE-2022-29445

Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at...

CVE-2022-0641

The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site...

CVE-2021-24867

Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to....

CVE-2021-24460

The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin...

CVE-2021-24458

The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin...