How is CVE-2026-54192 exploited?

Network reachability (required): The attacker must deliver a crafted URL to a victim who has network access to the WordPress site, making over-the-network exposure a prerequisite. Authentication (not-required): No account or credentials are needed; the malicious payload can be embedded in a link sent to any user, including unauthenticated visitors. Victim interaction (required): The victim must click or follow the attacker-crafted URL, making social engineering (for example, phishing or a malicious redirect) a necessary step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors beyond delivering the link.

What is the impact of CVE-2026-54192?

The attacker executes arbitrary JavaScript in the victim's browser session, giving access to session cookies and authentication tokens stored for that origin. The attacker can read and exfiltrate any page content visible to the victim, including personal data, form inputs, or WordPress admin information if the victim is a logged-in administrator. The attacker can modify page content rendered in the victim's browser, enabling credential-harvesting overlays or redirection to external sites. Because the scope is changed (S:C in the CVSS vector), the injected script can interact with resources beyond the vulnerable plugin itself, including other components loaded on the same WordPress installation.

Back to search

HIGHCVE-2026-54192Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54192: WordPress Popup box plugin <= 6.2.9 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-54192?

Reflected Cross-Site Scripting (XSS) in the Popup box WordPress plugin (versions up to and including 6.2.9) allows an unauthenticated attacker to inject malicious JavaScript into a victim's browser by tricking them into clicking a crafted link. The attack is delivered over the network and requires no authentication, but does require the victim to follow the attacker-controlled URL. Successful exploitation gives the attacker script execution in the victim's browser session, enabling session theft, page content manipulation, or unauthorized actions on the victim's behalf. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as a fix version is published upstream.

Q: Is CVE-2026-54192 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Unauthenticated Cross Site Scripting (XSS) in Popup box <= 6.2.9 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected Cross-Site Scripting (XSS) in the Popup box WordPress plugin (versions up to and including 6.2.9) allows an unauthenticated attacker to inject malicious JavaScript into a victim's browser by tricking them into clicking a crafted link. The attack is delivered over the network and requires no authentication, but does require the victim to follow the attacker-controlled URL. Successful exploitation gives the attacker script execution in the victim's browser session, enabling session theft, page content manipulation, or unauthorized actions on the victim's behalf. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as a fix version is published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-54192 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built images that bundle the Popup box plugin. Any image in a connected registry or CI pipeline that includes an affected version of the plugin is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 HIGH and is capable of weighting that score against each customer environment's compliance policy to surface the finding at the appropriate severity tier. Routing rules within each organization can direct the alert to the team responsible for WordPress plugin maintenance or container image ownership.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must deliver a crafted URL to a victim who has network access to the WordPress site, making over-the-network exposure a prerequisite.
AuthenticationNot required
No account or credentials are needed; the malicious payload can be embedded in a link sent to any user, including unauthenticated visitors.
Victim interactionRequired
The victim must click or follow the attacker-crafted URL, making social engineering (for example, phishing or a malicious redirect) a necessary step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors beyond delivering the link.

Blast Radius

The attacker executes arbitrary JavaScript in the victim's browser session, giving access to session cookies and authentication tokens stored for that origin.
The attacker can read and exfiltrate any page content visible to the victim, including personal data, form inputs, or WordPress admin information if the victim is a logged-in administrator.
The attacker can modify page content rendered in the victim's browser, enabling credential-harvesting overlays or redirection to external sites.
Because the scope is changed (S:C in the CVSS vector), the injected script can interact with resources beyond the vulnerable plugin itself, including other components loaded on the same WordPress installation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54192 is active for any scanned image containing the Popup box plugin at version 6.2.9 or earlier, with no configuration required. Because no upstream fix has been published, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild the moment a remediated version is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated automatically without manual steps. In the interim, compensating controls worth considering include network-policy rules that restrict access to the WordPress instance to known user populations, web application firewall rules targeting reflected XSS patterns in query parameters handled by the plugin, and disabling or removing the Popup box plugin if it is not actively required in production images.

See how HarborGuard automates this

Affected packages

Ays Pro / Popup box
≤ 6.2.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified