CVE-2026-1165 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Popup Box plugin for WordPress, specifically versions up to and including 6.1.1. The vulnerability stems from a flawed nonce implementation in the 'publish_unpublish_popupbox' function. Instead of verifying the nonce submitted with the request, the function verifies a self-created nonce, which effectively bypasses the intended CSRF protection. This flaw allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), can change the publish status of popups without the administrator’s explicit consent. Since the attacker does not need to be authenticated but requires user interaction, the attack vector is limited to social engineering or phishing techniques targeting administrators. The impact is limited to the integrity of popup content, potentially enabling unauthorized promotional or malicious content to be published. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its limited impact on confidentiality and availability but ease of exploitation with user interaction. No patches or known exploits are currently documented, but the plugin’s widespread use in marketing and e-commerce contexts makes this a relevant threat. The vulnerability is classified under CWE-352, which covers CSRF weaknesses due to improper request validation.

For European organizations, this vulnerability primarily threatens the integrity of web content managed via the Popup Box plugin on WordPress sites. Attackers could manipulate popup content to display unauthorized messages, promotions, or potentially malicious links, undermining user trust and brand reputation. While it does not directly compromise sensitive data or system availability, the unauthorized content changes could facilitate further attacks such as phishing or malware distribution. Organizations relying on popups for marketing, customer engagement, or lead generation may experience disruption or reputational damage. Additionally, regulatory compliance concerns may arise if manipulated content misleads users or violates advertising standards. The requirement for administrator interaction limits mass exploitation but does not eliminate risk, especially in environments with less stringent user awareness or where administrators have high privileges. The absence of known exploits suggests limited current active threat but does not preclude future exploitation once the vulnerability is widely known.

Immediate mitigation should focus on minimizing administrator exposure to unsolicited links and enhancing user awareness about phishing and social engineering tactics. Administrators should be trained to verify the legitimacy of links before clicking, especially those received via email or messaging platforms. Implementing strict role-based access controls to limit the number of users with publishing privileges reduces the attack surface. Web Application Firewalls (WAFs) can be configured to detect and block suspicious requests targeting the vulnerable endpoint. Monitoring and logging administrative actions related to popup publishing can help detect anomalous behavior early. Organizations should track the vendor’s updates and apply patches promptly once released. In the absence of an official patch, temporarily disabling the Popup Box plugin or replacing it with alternative, secure popup solutions can be considered. Additionally, reviewing and hardening nonce implementations in custom or third-party plugins can prevent similar vulnerabilities.