Does Popup Box – Create Countdown, Coupon, Video, Contact Form Popups have any unpatched vulnerabilities?

No. All known vulnerabilities in Popup Box – Create Countdown, Coupon, Video, Contact Form Popups have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Popup Box – Create Countdown, Coupon, Video, Contact Form Popups compatible with WordPress 6.9.4?

According to WordPress.org data, Popup Box – Create Countdown, Coupon, Video, Contact Form Popups 6.1.9 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Security & Risk Analysis

wordpress.org/plugins/ays-popup-box

Build flexible popups and modal windows with multiple popup types, triggers, and display controls.

50K active installs v6.1.9 PHP + WP 4.0+ Updated Mar 11, 2026

exit-popupmodalpop-uppopuppopups

A · Safe

CVEs total17

Unpatched0

Last CVEJan 30, 2026

Plugin page Download

Safety Verdict

Is Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Safe to Use in 2026?

Generally Safe

Score 92/100

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups has a strong security track record. Known vulnerabilities have been patched promptly.

17 known CVEsLast CVE: Jan 30, 2026Updated 23d ago

Risk Assessment

The 'ays-popup-box' plugin, version 6.1.9, presents a mixed security posture. While it demonstrates some good practices, such as a high percentage of SQL queries using prepared statements and a significant number of capability checks, it also exhibits several concerning weaknesses. The attack surface is substantial, with 22 AJAX handlers, and alarmingly, 21 of these lack authentication checks, creating numerous potential entry points for unauthorized actions. Furthermore, the taint analysis reveals 4 high-severity flows, indicating potential risks related to improper input handling that could lead to security vulnerabilities. The plugin's historical vulnerability record is also a significant red flag, with 17 known CVEs, including a recent one in 2026. The prevalence of Cross-Site Request Forgery, Missing Authorization, Cross-Site Scripting, and SQL Injection in past vulnerabilities suggests recurring security flaws that need to be addressed.

Despite the presence of some security measures, the high number of unprotected AJAX endpoints and the critical taint analysis findings are significant risks. The historical data also points to a pattern of common and severe vulnerability types, suggesting that fundamental security issues may persist. While the plugin has a large number of outputs and a good percentage are escaped, the 4 high-severity taint flows are a more immediate concern. The plugin's overall security is compromised by these factors, necessitating careful consideration of its use or prompt mitigation of the identified risks.

Key Concerns

21 unprotected AJAX handlers
4 high severity taint flows
17 known CVEs in history
Historical vulnerabilities include CSRF, Missing Auth, XSS, SQLi
Bundled library: Select2 (potential for outdated versions)

Vulnerabilities

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Security Vulnerabilities

CVEs by Year

2 CVEs in 2021

2021

6 CVEs in 2023

2023

6 CVEs in 2024

2024

2 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

17 total CVEs

CVE-2026-1165medium · 4.3Cross-Site Request Forgery (CSRF)

Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change

Jan 30, 2026 Patched in 6.1.2 (2d)

CVE-2025-69021medium · 4.3Cross-Site Request Forgery (CSRF)

Popup box <= 6.0.7 - Cross-Site Request Forgery

Dec 28, 2025 Patched in 6.0.8 (10d)

CVE-2025-57931medium · 4.3Cross-Site Request Forgery (CSRF)

Popup box <= 5.5.4 - Cross-Site Request Forgery

Oct 29, 2025 Patched in 5.5.5 (7d)

CVE-2024-10861medium · 5.3Missing Authorization

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups <= 4.9.7 - Missing Authorization to Unauthenticated Limited Options Update

Nov 15, 2024 Patched in 4.9.8 (1d)

CVE-2024-9599medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Box <= 4.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 31, 2024 Patched in 4.7.8 (211d)

CVE-2024-37096medium · 4.3Missing Authorization

Popup box <= 4.5.1 - Missing Authorization

Jun 20, 2024 Patched in 4.5.2 (7d)

CVE-2024-34367medium · 6.1Cross-Site Request Forgery (CSRF)

Popup box <= 4.1.2 - Cross-Site Request Forgery

May 3, 2024 Patched in 4.1.3 (5d)

CVE-2024-3897medium · 5.3Missing Authorization

Popup Box – Best WordPress Popup Plugin <= 4.3.6 - Missing Authorization to Information Exposure

Apr 24, 2024 Patched in 4.3.7 (9d)

CVE-2023-6591medium · 6.6Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Box Business (7.0.0 - 7.9.0) and Developer (20.0.0 - 20.9.0) - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 22, 2024 Patched in 7.9.0 (197d)

CVE-2023-5809medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Box <= 3.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Nov 13, 2023 Patched in 3.8.7 (71d)

CVE-2023-5874medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Box <= 3.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Nov 13, 2023 Patched in 3.8.7 (71d)

CVE-2023-5343medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Box – Best WordPress Popup Plugin <= 3.7.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Oct 27, 2023 Patched in 3.7.9 (88d)

CVE-2023-4390medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Box <= 3.7.1 - Authenticated(Administrator+) Stored Cross-Site Scripting

Aug 29, 2023 Patched in 3.7.2 (147d)

WF-1289ead7-1af1-417d-aa47-7d07268f956c-ays-popup-boxmedium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Box <= 3.7.0 - Authenticated(Administrator+) Stored Cross-Site Scripting

Aug 18, 2023 Patched in 3.7.1 (158d)

CVE-2023-27414medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup box <= 3.4.4 - Reflected Cross-Site Scripting via 'ays_pb_tab' Parameter

Mar 8, 2023 Patched in 3.4.5 (321d)

WF-8c68cf18-0210-452f-933e-6f1e50323b15-ays-popup-boxmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup box <= 2.3.3 - Cross-Site Scripting

Jun 29, 2021 Patched in 2.3.4 (938d)

CVE-2021-24458high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Popup box < 2.3.4 - Authenticated SQL Injection

Jun 29, 2021 Patched in 2.3.4 (938d)

Code Analysis

Analyzed Mar 16, 2026

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Code Analysis

Dangerous Functions

Raw SQL Queries

49 prepared

Unescaped Output

454

1461 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

91% prepared54 total queries

Output Escaping

76% escaped1915 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

13 flows5 with unsanitized paths

deactivate_plugin_option (admin\class-ays-pb-admin.php:715)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

21 unprotected

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Attack Surface

Entry Points32

Unprotected21

AJAX Handlers 22

authwp_ajax_ays_pb_deactivate_feedbackincludes\class-ays-pb-feedback.php:35

authwp_ajax_deactivate_plugin_option_pbincludes\class-ays-pb.php:252

noprivwp_ajax_deactivate_plugin_option_pbincludes\class-ays-pb.php:253

authwp_ajax_get_selected_options_pbincludes\class-ays-pb.php:256

authwp_ajax_ays_pb_dismiss_buttonincludes\class-ays-pb.php:269

noprivwp_ajax_ays_pb_dismiss_buttonincludes\class-ays-pb.php:270

authwp_ajax_ays_pb_create_authorincludes\class-ays-pb.php:273

noprivwp_ajax_ays_pb_create_authorincludes\class-ays-pb.php:274

authwp_ajax_close_warning_note_permanentlyincludes\class-ays-pb.php:277

noprivwp_ajax_close_warning_note_permanentlyincludes\class-ays-pb.php:278

authwp_ajax_ays_pb_install_pluginincludes\class-ays-pb.php:281

noprivwp_ajax_ays_pb_install_pluginincludes\class-ays-pb.php:282

authwp_ajax_ays_pb_activate_pluginincludes\class-ays-pb.php:285

noprivwp_ajax_ays_pb_activate_pluginincludes\class-ays-pb.php:286

authwp_ajax_ays_pb_change_statusincludes\class-ays-pb.php:289

noprivwp_ajax_ays_pb_change_statusincludes\class-ays-pb.php:290

authwp_ajax_ays_pb_set_cookie_only_onceincludes\class-ays-pb.php:409

noprivwp_ajax_ays_pb_set_cookie_only_onceincludes\class-ays-pb.php:410

authwp_ajax_ays_increment_pb_viewsincludes\class-ays-pb.php:413

noprivwp_ajax_ays_increment_pb_viewsincludes\class-ays-pb.php:414

authwp_ajax_ays_increment_pb_conversionsincludes\class-ays-pb.php:417

noprivwp_ajax_ays_increment_pb_conversionsincludes\class-ays-pb.php:418

Shortcodes 10

[ays_pb] public\class-ays-pb-public.php:128

[ays_pb_user_first_name] public\partials\class-ays-pb-user-information-shortcodes.php:61

[ays_pb_user_last_name] public\partials\class-ays-pb-user-information-shortcodes.php:62

[ays_pb_user_display_name] public\partials\class-ays-pb-user-information-shortcodes.php:63

[ays_pb_user_nickname] public\partials\class-ays-pb-user-information-shortcodes.php:64

[ays_pb_user_email] public\partials\class-ays-pb-user-information-shortcodes.php:65

[ays_pb_current_author] public\partials\class-ays-pb-user-information-shortcodes.php:66

[ays_pb_user_roles] public\partials\class-ays-pb-user-information-shortcodes.php:67

[ays_pb_cat_title] public\partials\class-pb-category-shortcode.php:60

[ays_pb_cat_description] public\partials\class-pb-category-shortcode.php:61

WordPress Hooks 68

filterset-screen-optionadmin\class-ays-pb-admin.php:58

actionwp_enqueue_scriptsadmin\class-ays-pb-admin.php:1557

actionwp_enqueue_scriptsadmin\class-ays-pb-admin.php:1558

actionadmin_enqueue_scriptsadmin\class-ays-pb-admin.php:1559

actionadmin_enqueue_scriptsadmin\class-ays-pb-admin.php:1560

actionwp_print_scriptsadmin\class-ays-pb-admin.php:1561

actionwp_print_stylesadmin\class-ays-pb-admin.php:1562

actionwp_headadmin\class-ays-pb-admin.php:1563

actionadmin_headadmin\class-ays-pb-admin.php:1564

actionadmin_noticesadmin\class-ays-pb-admin.php:1980

actionplugins_loadedays-pb.php:77

actionadmin_noticesays-pb.php:95

actionplugins_loadedincludes\class-ays-pb-ays-welcome.php:18

actionadmin_menuincludes\class-ays-pb-ays-welcome.php:22

actionadmin_headincludes\class-ays-pb-ays-welcome.php:23

actionadmin_initincludes\class-ays-pb-ays-welcome.php:24

actionadmin_enqueue_scriptsincludes\class-ays-pb-ays-welcome.php:25

actioncurrent_screenincludes\class-ays-pb-feedback.php:26

actionadmin_enqueue_scriptsincludes\class-ays-pb-feedback.php:31

actionadmin_footerincludes\class-ays-pb-feedback.php:61

actionplugins_loadedincludes\class-ays-pb.php:189

actionadmin_enqueue_scriptsincludes\class-ays-pb.php:204

actionadmin_enqueue_scriptsincludes\class-ays-pb.php:205

actionadmin_enqueue_scriptsincludes\class-ays-pb.php:206

actionadmin_menuincludes\class-ays-pb.php:209

actionadmin_menuincludes\class-ays-pb.php:212

actionadmin_menuincludes\class-ays-pb.php:215

actionadmin_menuincludes\class-ays-pb.php:218

actionadmin_menuincludes\class-ays-pb.php:221

actionadmin_menuincludes\class-ays-pb.php:224

actionadmin_menuincludes\class-ays-pb.php:227

actionadmin_menuincludes\class-ays-pb.php:230

actionadmin_menuincludes\class-ays-pb.php:233

actionadmin_menuincludes\class-ays-pb.php:236

actionadmin_menuincludes\class-ays-pb.php:239

actionadmin_menuincludes\class-ays-pb.php:242

filterplugin_row_metaincludes\class-ays-pb.php:249

actionadmin_enqueue_scriptsincludes\class-ays-pb.php:259

actionin_admin_footerincludes\class-ays-pb.php:262

actionadmin_noticesincludes\class-ays-pb.php:266

actioncurrent_screenincludes\class-ays-pb.php:297

actionays_pb_popup_page_integrationsincludes\class-ays-pb.php:314

actionays_pb_settings_page_integrationsincludes\class-ays-pb.php:317

filterays_pb_popup_page_integrations_contentsincludes\class-ays-pb.php:321

filterays_pb_settings_page_integrations_contentsincludes\class-ays-pb.php:324

filterays_pb_popup_page_integrations_contentsincludes\class-ays-pb.php:329

filterays_pb_settings_page_integrations_contentsincludes\class-ays-pb.php:332

filterays_pb_popup_page_integrations_contentsincludes\class-ays-pb.php:337

filterays_pb_settings_page_integrations_contentsincludes\class-ays-pb.php:340

filterays_pb_settings_page_integrations_contentsincludes\class-ays-pb.php:345

filterays_pb_popup_page_integrations_contentsincludes\class-ays-pb.php:348

filterays_pb_settings_page_integrations_contentsincludes\class-ays-pb.php:353

filterays_pb_popup_page_integrations_contentsincludes\class-ays-pb.php:356

filterays_pb_settings_page_integrations_contentsincludes\class-ays-pb.php:361

filterays_pb_popup_page_integrations_contentsincludes\class-ays-pb.php:364

filterays_pb_settings_page_integrations_contentsincludes\class-ays-pb.php:369

filterays_pb_popup_page_integrations_contentsincludes\class-ays-pb.php:372

filterays_pb_settings_page_integrations_contentsincludes\class-ays-pb.php:377

filterays_pb_popup_page_integrations_contentsincludes\class-ays-pb.php:380

actioninitincludes\class-ays-pb.php:400

actionwp_footerincludes\class-ays-pb.php:403

actionwp_enqueue_scriptsincludes\class-ays-pb.php:404

actionwp_enqueue_scriptsincludes\class-ays-pb.php:405

actionwp_footerincludes\class-ays-pb.php:406

actionadmin_noticesincludes\lists\class-ays-pb-list-table.php:27

actioninitincludes\lists\class-ays-pb-list-table.php:32

actionadmin_noticesincludes\lists\class-ays-pb-popup-categories-list-table.php:27

actioninitincludes\lists\class-ays-pb-popup-categories-list-table.php:32

Maintenance & Trust

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version

Downloads3.4M

Community Trust

Rating92/100

Number of ratings78

Active installs50K

Alternatives

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Alternatives

Pop-up

pop-up-pop-up

Pop-up Popups

10K 2 CVEs

Modal Popup Box: A Flexible Pop Up Box Builder

modal-popup-box

Create and manage a customizable pop up box on your WordPress website. Embed anything from videos and images to forms and shortcodes.

2K 2 CVEs

Kicklander

kicklander

Instantly convert & monetize your traffic using our platform to create no-code notifications that call to an action.

0 No CVEs

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

popup-anything-on-click

Create popup on a page load or Create popup by clicking link, image and button. Create popups, opt-in forms, & exit popups, floating bars and more!

30K 4 CVEs

Poptin – Exit Pop Ups & Email Popups

poptin

100

Free exit intent popup builder, gamified popups with spin the wheel, contact form builder & lead generation pop ups platform for your website. 🎉

20K 1 CVE

Developer Profile

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Developer Profile

Ays Pro

18 plugins · 111K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

216 days

View full developer profile

Detection Fingerprints

How We Detect Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ays-popup-box/admin/css/main.min.css/wp-content/plugins/ays-popup-box/admin/css/admin-style.css/wp-content/plugins/ays-popup-box/admin/js/main.min.js/wp-content/plugins/ays-popup-box/public/css/jquery.fancybox.min.css/wp-content/plugins/ays-popup-box/public/css/style.css/wp-content/plugins/ays-popup-box/public/js/jquery.fancybox.min.js/wp-content/plugins/ays-popup-box/public/js/main.js/wp-content/plugins/ays-popup-box/public/js/public.js

Generator Patterns

Popup Box Team

Script Paths

/wp-content/plugins/ays-popup-box/admin/js/main.min.js/wp-content/plugins/ays-popup-box/public/js/jquery.fancybox.min.js/wp-content/plugins/ays-popup-box/public/js/main.js/wp-content/plugins/ays-popup-box/public/js/public.js

Version Parameters

ays-popup-box/admin/css/main.min.css?ver=ays-popup-box/admin/css/admin-style.css?ver=ays-popup-box/admin/js/main.min.js?ver=ays-popup-box/public/css/jquery.fancybox.min.css?ver=ays-popup-box/public/css/style.css?ver=ays-popup-box/public/js/jquery.fancybox.min.js?ver=ays-popup-box/public/js/main.js?ver=ays-popup-box/public/js/public.js?ver=

HTML / DOM Fingerprints

CSS Classes

ays-notice-bannerays-pb-noticepopup-box-logopopup-box-upgrade-to-propopup-box-notice-one-timeays-btntoggle_ddmenutoggle-ddmenu-bttn+2 more

HTML Comments

<!-- Currently plugin version.
 * Start at version 1.0.0 and use SemVer - https://semver.org
 * Rename this for your plugin and update it as you release new versions. -->

<!-- The code that runs during plugin activation.
 * This action is documented in includes/class-ays-pb-activator.php -->

<!-- The code that runs during plugin deactivation.
 * This action is documented in includes/class-ays-pb-deactivator.php -->

+4 more

Data Attributes

data-expanded="false"

JS Globals

AYS_PB_NAME_VERSIONAYS_PB_NAMEAYS_PB_ADMIN_URLAYS_PB_PUBLIC_URLAYS_PB_DIRAYS_PB_BASENAME

FAQ