CVE-2026-1165 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Popup Box plugin for WordPress, which is used to create countdowns, coupons, videos, and contact form popups. The vulnerability exists in all versions up to 6.1.1 due to improper nonce validation in the 'publish_unpublish_popupbox' function. Instead of verifying the nonce submitted with the request, the function validates a self-generated nonce, rendering the CSRF protection ineffective. This allows an attacker to craft a malicious request that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), can change the publish status of popups without the administrator's consent. The vulnerability does not require authentication for the attacker but does require administrator interaction, making exploitation dependent on social engineering. The impact is limited to integrity, as attackers can alter popup statuses but cannot access sensitive data or disrupt availability. The CVSS 3.1 base score is 4.3, indicating medium severity. No known exploits have been reported, and no official patches have been linked as of the publication date. The flaw stems from a common CSRF mitigation failure related to nonce handling, a critical security control in WordPress plugins.

The primary impact of this vulnerability is on the integrity of the affected WordPress sites using the Popup Box plugin. An attacker can manipulate the publish status of popups, potentially enabling or disabling promotional or informational content without authorization. While this does not directly compromise confidentiality or availability, it can lead to unauthorized content changes that may confuse users, damage brand reputation, or be leveraged as a stepping stone for further attacks such as phishing or social engineering campaigns. Since exploitation requires an administrator to interact with a malicious link, the risk is somewhat mitigated by user awareness but remains significant for sites with multiple administrators or less security-conscious personnel. Organizations relying heavily on this plugin for marketing or customer engagement may face operational disruptions or loss of trust if attackers manipulate popup content. The lack of known exploits reduces immediate risk, but the vulnerability remains a potential vector for targeted attacks.

To mitigate this vulnerability, organizations should immediately audit and update the Popup Box plugin to a version that properly validates nonces once a patch is available. Until then, administrators should be trained to avoid clicking untrusted links and to verify the legitimacy of requests that affect site content. Implementing Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting the 'publish_unpublish_popupbox' function can reduce risk. Restrict administrative access to trusted personnel and enforce multi-factor authentication to minimize the chance of successful social engineering. Regularly review and monitor popup content changes for unauthorized modifications. Developers maintaining the plugin should correct the nonce verification logic to validate the nonce submitted with the request rather than a self-created one, ensuring proper CSRF protection. Additionally, consider employing security plugins that provide enhanced CSRF protections and logging for administrative actions.