WP-Safety

Boxzilla – Pop-Ups for WordPress Security & Risk Analysis

wordpress.org/plugins/boxzilla

Flexible pop-ups or slide-ins, showing up at just the right time.

20K active installs v3.4.7 PHP 7.4+ WP 4.6+ Updated Mar 9, 2026
call-to-actionmodalpop-uppop-ups
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Boxzilla – Pop-Ups for WordPress Safe to Use in 2026?

Generally Safe

Score 100/100

Boxzilla – Pop-Ups for WordPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The Boxzilla plugin v3.4.7 presents a mixed security posture. On the positive side, it demonstrates good practices in its handling of SQL queries, utilizing prepared statements for all 11 queries. Furthermore, the plugin has no recorded vulnerabilities (CVEs), which is a strong indicator of past security diligence. However, the static analysis reveals several areas of concern. The presence of an unprotected AJAX handler represents a significant security risk, as it could be exploited without proper user authentication. While the plugin has a reasonable percentage of properly escaped outputs, a notable 28% remain unescaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities if malicious data is processed. The taint analysis indicates two flows with unsanitized paths, though thankfully these did not reach critical or high severity levels in this analysis. The complete absence of nonce checks on any entry points is also a deficiency. The plugin's strengths lie in its SQL security and lack of past vulnerabilities, but the unprotected AJAX handler and output escaping issues are areas that require immediate attention to strengthen its overall security.

Key Concerns

  • Unprotected AJAX handler
  • Significant unescaped output
  • Taint flows with unsanitized paths
  • No nonce checks on entry points
Vulnerabilities
None known

Boxzilla – Pop-Ups for WordPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Boxzilla – Pop-Ups for WordPress Release Timeline

v3.4.7Current
v3.4.6
v3.4.5
v3.4.4
v3.4.3
v3.4.2
v3.4.1
v3.4.0
v3.3.3
v3.3.2
v3.3.1
v3.3.0
v3.2.27
v3.2.26
v3.2.25
v3.2.24
v3.2.23
v3.2.22
v3.2.21
v3.2.20
Code Analysis
Analyzed Mar 16, 2026

Boxzilla – Pop-Ups for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
11 prepared
Unescaped Output
28
73 escaped
Nonce Checks
0
Capability Checks
5
File Operations
0
External Requests
2
Bundled Libraries
0

SQL Query Safety

100% prepared11 total queries

Output Escaping

72% escaped101 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
ajax (src\admin\class-autocomplete.php:15)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Boxzilla – Pop-Ups for WordPress Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_boxzilla_autocompletesrc\admin\class-autocomplete.php:9

Shortcodes 1

[boxzilla_link] src\default-actions.php:46
WordPress Hooks 45
actionplugins_loadedboxzilla.php:51
actiontemplate_redirectboxzilla.php:69
actionadmin_initsrc\admin\class-admin.php:54
actionadmin_initsrc\admin\class-admin.php:55
actioninitsrc\admin\class-admin.php:56
actionadmin_menusrc\admin\class-admin.php:57
actionadmin_noticessrc\admin\class-admin.php:58
actionsave_post_boxzilla-boxsrc\admin\class-admin.php:59
actiontrashed_postsrc\admin\class-admin.php:60
actionuntrashed_postsrc\admin\class-admin.php:61
filterbulk_actions-edit-boxzilla-boxsrc\admin\class-admin.php:62
filterhandle_bulk_actions-edit-boxzilla-boxsrc\admin\class-admin.php:63
actionadmin_enqueue_scriptssrc\admin\class-admin.php:169
actionadd_meta_boxessrc\admin\class-admin.php:170
filtertiny_mce_before_initsrc\admin\class-admin.php:171
filtermanage_edit-boxzilla-box_columnssrc\admin\class-admin.php:172
actionmanage_boxzilla-box_posts_custom_columnsrc\admin\class-admin.php:173
filteradmin_footer_textsrc\admin\class-admin.php:174
filterplugin_action_linkssrc\admin\class-admin.php:177
filterplugin_row_metasrc\admin\class-admin.php:178
actionadmin_head-nav-menus.phpsrc\admin\class-menu.php:9
filtercustomize_nav_menu_available_item_typessrc\admin\class-menu.php:12
filtercustomize_nav_menu_available_itemssrc\admin\class-menu.php:13
actionadmin_noticessrc\admin\class-notices.php:17
actionadmin_noticessrc\admin\class-review-notice.php:24
actionboxzilla_admin_dismiss_review_noticesrc\admin\class-review-notice.php:25
actionwp_headsrc\class-loader.php:42
actionwp_footersrc\class-loader.php:44
actionwp_enqueue_scriptssrc\class-loader.php:45
actioninitsrc\default-actions.php:8
actionadmin_initsrc\default-actions.php:50
filterboxzilla_box_contentsrc\default-filters.php:7
filterboxzilla_box_contentsrc\default-filters.php:8
filterboxzilla_box_contentsrc\default-filters.php:9
filterboxzilla_box_contentsrc\default-filters.php:10
filterboxzilla_box_contentsrc\default-filters.php:11
filterboxzilla_box_contentsrc\default-filters.php:12
filterboxzilla_box_contentsrc\default-filters.php:18
filternav_menu_link_attributessrc\default-filters.php:25
actionboxzilla_after_settingssrc\licensing\class-license-manager.php:62
actionadmin_noticessrc\licensing\class-license-manager.php:63
actionboxzilla_check_license_statussrc\licensing\class-poller.php:38
filterpre_set_site_transient_update_pluginssrc\licensing\class-update-manager.php:46
filterplugins_apisrc\licensing\class-update-manager.php:47
filterhttp_request_argssrc\licensing\class-update-manager.php:48

Scheduled Events 1

boxzilla_check_license_status
Maintenance & Trust

Boxzilla – Pop-Ups for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version7.4
Downloads823K

Community Trust

Rating96/100
Number of ratings131
Active installs20K
Alternatives

Boxzilla – Pop-Ups for WordPress Alternatives

Pop-up

Pop-up

pop-up-pop-up

A
99

Pop-up Popups

10K 2 CVEs
Bootstrap Modals

Bootstrap Modals

bootstrap-modals

C
63

This plugin adds Bootstrap Modal functionality to WordPress. All you need to do is add the Modal HTML mark up code.

1K 1 unpatched
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

ays-popup-box

A
89

Build flexible popups and modal windows with multiple popup types, triggers, and display controls.

50K 18 CVEs
Poptin – Exit Pop Ups & Email Popups

Poptin – Exit Pop Ups & Email Popups

poptin

A
100

Free exit intent popup builder, gamified popups with spin the wheel, contact form builder & lead generation pop ups platform for your website. 🎉

20K 1 CVE
Responsive Lightbox

Responsive Lightbox

responsive-lightbox-lite

A
100

This plugin offers a nice and elegant way to add Lightbox functionality for images, html content and media on your webpages.

10K No CVEs
Developer Profile

Boxzilla – Pop-Ups for WordPress Developer Profile

Danny van Kooten

9 plugins · 1.1M total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
708 days
View full developer profile
Detection Fingerprints

How We Detect Boxzilla – Pop-Ups for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/boxzilla/admin/css/boxzilla-admin.css/wp-content/plugins/boxzilla/admin/js/boxzilla-admin.js/wp-content/plugins/boxzilla/public/css/boxzilla.css/wp-content/plugins/boxzilla/public/js/boxzilla.js
Script Paths
/wp-content/plugins/boxzilla/admin/js/boxzilla-admin.js/wp-content/plugins/boxzilla/public/js/boxzilla.js
Version Parameters
boxzilla/admin/css/boxzilla-admin.css?ver=boxzilla/admin/js/boxzilla-admin.js?ver=boxzilla/public/css/boxzilla.css?ver=boxzilla/public/js/boxzilla.js?ver=

HTML / DOM Fingerprints

CSS Classes
boxzilla-boxboxzilla-closeboxzilla-overlayboxzilla-content
HTML Comments
Boxzilla PluginCopyright (C) 2013 Danny van KootenThis program is free software: you can redistribute it and/or modifyThis program is distributed in the hope that it will be useful+4 more
Data Attributes
data-boxzilla-iddata-boxzilla-delaydata-boxzilla-expiresdata-boxzilla-cookie-pathdata-boxzilla-cookie-domaindata-boxzilla-cookie-same-site+7 more
JS Globals
Boxzilla
FAQ

Frequently Asked Questions about Boxzilla – Pop-Ups for WordPress