CVE-2026-1165 Overview
The Popup Box plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 6.1.1. The vulnerability exists due to a flawed nonce implementation in the publish_unpublish_popupbox function that verifies a self-created nonce rather than one submitted in the request. This security flaw enables unauthenticated attackers to manipulate the publish status of popups through forged requests when they can trick a site administrator into performing an action such as clicking a malicious link.
Critical Impact
Unauthenticated attackers can modify popup publish status via CSRF, potentially disrupting website functionality or enabling further attacks through popup manipulation.
Affected Products
- WordPress Popup Box Plugin versions up to and including 6.1.1
- WordPress sites using the ays-popup-box plugin
Discovery Timeline
- 2026-01-31 - CVE-2026-1165 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-1165
Vulnerability Analysis
This CSRF vulnerability stems from improper nonce verification in the WordPress Popup Box plugin. The publish_unpublish_popupbox function contains a fundamental security flaw where it validates a self-generated nonce instead of verifying the nonce token submitted with the incoming HTTP request. This breaks the entire CSRF protection mechanism that WordPress nonces are designed to provide.
In WordPress, nonces serve as security tokens to verify that requests originate from legitimate sources and that the user intended to perform the action. When a function verifies its own generated nonce rather than the one passed in the request, it effectively bypasses this protection entirely, allowing any external request to pass the security check.
Root Cause
The root cause is the incorrect implementation of WordPress nonce verification in the publish_unpublish_popupbox function located in the plugin's list table class. The vulnerable code can be found in class-ays-pb-list-table.php at line 701, where the nonce verification logic checks against a locally generated value instead of the request-submitted nonce parameter. This implementation error negates the purpose of CSRF protection tokens.
Attack Vector
An attacker can exploit this vulnerability through the following attack scenario:
- The attacker crafts a malicious webpage or email containing a hidden form or link that targets the vulnerable publish_unpublish_popupbox function
- The attacker tricks a logged-in WordPress administrator into visiting the malicious page or clicking the link
- The victim's browser automatically sends the forged request with their authenticated session cookies
- Due to the flawed nonce verification, the plugin accepts the request as legitimate
- The popup's publish status is changed without the administrator's knowledge or consent
This vulnerability requires user interaction (the administrator must click a link or visit a malicious page), but no authentication is required from the attacker's perspective. The attack can be executed entirely over the network.
Detection Methods for CVE-2026-1165
Indicators of Compromise
- Unexpected changes to popup publish/unpublish status in the WordPress Popup Box plugin
- Administrator accounts showing activity during periods when the user was not actively logged in
- Referrer logs showing requests to popup management endpoints originating from external domains
- HTTP access logs containing POST requests to admin-ajax.php with popup-related actions from suspicious sources
Detection Strategies
- Monitor WordPress admin action logs for unauthorized popup status changes using security plugins
- Implement web application firewall rules to detect CSRF attack patterns targeting WordPress admin functions
- Review server access logs for unusual patterns of requests to the Popup Box plugin endpoints
- Enable WordPress audit logging to track all changes to popup configurations and their originating sessions
Monitoring Recommendations
- Deploy endpoint protection solutions like SentinelOne to detect and block malicious web requests targeting WordPress installations
- Configure alerts for bulk or rapid changes to popup settings that may indicate automated CSRF exploitation
- Monitor for unusual administrator session activity patterns that could indicate compromised sessions
- Implement Content Security Policy headers to reduce the risk of CSRF attacks through embedded content
How to Mitigate CVE-2026-1165
Immediate Actions Required
- Update the Popup Box plugin to version 6.1.2 or later immediately
- Review popup configurations for any unauthorized changes that may have occurred before patching
- Consider temporarily disabling the plugin if immediate update is not possible
- Audit administrator accounts for any signs of unauthorized activity
Patch Information
A security patch addressing this vulnerability is available in version 6.1.2 of the Popup Box plugin. The fix properly implements nonce verification by checking the nonce value submitted in the request rather than a self-generated value. The patch changes can be reviewed in the WordPress Plugin Version Change.
Additional technical details about the vulnerability are available in the Wordfence Vulnerability Report.
Workarounds
- Implement additional CSRF protection at the web server or WAF level to filter suspicious cross-origin requests to WordPress admin endpoints
- Restrict administrative access to trusted IP addresses using .htaccess or server configuration
- Educate administrators about phishing risks and avoiding clicking suspicious links while logged into WordPress
- Consider using browser extensions that warn about potential CSRF attacks or block cross-origin form submissions
# Apache .htaccess example to restrict admin access by IP
<Files wp-admin/*>
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from your.trusted.ip.address
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
