CVE-2026-1165

Name of the Vulnerable Software and Affected Versions Popup Box plugin for WordPress versions prior to 6.1.2

Description The Popup Box plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF). This is a result of a flawed nonce implementation within the publish unpublish popupbox function, which incorrectly validates a self-created nonce instead of a request-submitted nonce. Successful exploitation allows unauthenticated attackers to modify the publish status of popups by deceiving a site administrator into performing an action, such as clicking a malicious link.

Recommendations Update the Popup Box plugin to version 6.1.2 or later.