CM Pop-Up – Create engaging popups to capture attention and boost interaction Security & Risk Analysis

Create and customize popups. Display messages, Call to actions, promotions, or announcements to engage visitors and boost interaction.

9K active installs v1.8.5 PHP 5.2.4+ WP 5.4.0+ Updated Jan 29, 2026

popuppopup-builderpopup-makerpopupswp-popup

A · Safe

CVEs total5

Unpatched0

Last CVEJul 16, 2025

Plugin page Download

Safety Verdict

Is CM Pop-Up – Create engaging popups to capture attention and boost interaction Safe to Use in 2026?

Generally Safe

Score 94/100

CM Pop-Up – Create engaging popups to capture attention and boost interaction has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jul 16, 2025Updated 2mo ago

Risk Assessment

The 'cm-pop-up-banners' plugin v1.8.5 presents a mixed security posture. While it utilizes some good practices like nonce checks and capability checks, these are applied inconsistently across its attack surface. A significant concern is the high number of unprotected AJAX handlers, which represent a direct entry point for attackers to potentially exploit. The presence of the 'unserialize' function, especially without clear sanitization context, is a red flag that could lead to deserialization vulnerabilities. Furthermore, a notable percentage of SQL queries are not using prepared statements, increasing the risk of SQL injection.

The plugin's vulnerability history is a major area of concern. With 5 known CVEs, including one high-severity vulnerability, and common types like missing authorization, XSS, and SQL injection, it indicates a recurring pattern of security weaknesses. Although there are currently no unpatched CVEs, the historical prevalence of these vulnerability types suggests a need for more robust security development practices. The taint analysis, while showing no critical or high severity flows, still found one unsanitized path, reinforcing the need for careful input validation and sanitization throughout the codebase.

In conclusion, the plugin exhibits several weaknesses, particularly regarding authorization on its AJAX endpoints, potential deserialization risks due to 'unserialize,' and a concerning history of past vulnerabilities. While some security measures are in place, the overall security posture requires improvement. The presence of unprotected entry points and past security incidents suggest that users should exercise caution and ensure the plugin is updated to the latest, most secure version if available, and monitor for future security advisories.

Key Concerns

Unprotected AJAX handlers
Dangerous function: unserialize
SQL queries without prepared statements
Low output escaping percentage
High severity CVE history
Bundled libraries (potential for outdated versions)
Unsanitized paths in taint analysis

Vulnerabilities

CM Pop-Up – Create engaging popups to capture attention and boost interaction Security Vulnerabilities

CVEs by Year

1 CVE in 2020

2020

1 CVE in 2023

2023

2 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2025-54018medium · 4.3Missing Authorization

CM Pop-Up banners <= 1.8.4 - Missing Authorization

Jul 16, 2025 Patched in 1.8.5 (6d)

CVE-2024-5799medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CM Pop-Up Banners <= 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 22, 2024 Patched in 1.7.3 (44d)

CVE-2024-5004medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CM Popup Plugin for WordPress – Popup Maker <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 1, 2024 Patched in 1.6.6 (40d)

CVE-2023-30750high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CM Pop-Up banners <= 1.5.10 - Authenticated (Subscriber+) SQL Injection via getStatistics

May 3, 2023 Patched in 1.6.0 (265d)

WF-e9b28209-498f-4319-be87-3f54c64d9ccd-cm-pop-up-bannersmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CM Pop-Up banners <= 1.4.10 - Authenticated Stored Cross-Site Scripting

Mar 27, 2020 Patched in 1.5.0 (1397d)

Code Analysis

Analyzed Mar 16, 2026

CM Pop-Up – Create engaging popups to capture attention and boost interaction Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

184

157 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$allOptions = unserialize( $allExistingIds );shared\classes\CMPopUpBannersShared.php:1073

Bundled Libraries

DataTablesSelect2

SQL Query Safety

36% prepared14 total queries

Output Escaping

46% escaped341 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

cminds_system_info_content (package\cminds-free.php:2734)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

CM Pop-Up – Create engaging popups to capture attention and boost interaction Attack Surface

Entry Points14

Unprotected7

AJAX Handlers 9

authwp_ajax_cm_popupflyin_previewbackend\classes\CMPopUpBannersBackend.php:147

authwp_ajax_cm_pub_addesignerbackend\classes\CMPopUpBannersBackend.php:166

authwp_ajax_cm_popupflyin_register_clickbackend\classes\CMPopUpBannersBackend.php:168

noprivwp_ajax_cm_popupflyin_register_clickbackend\classes\CMPopUpBannersBackend.php:169

authwp_ajax_cm_popupflyin_prepare_statistics_databackend\classes\CMPopUpBannersBackend.php:171

authwp_ajax_cm-submit-uninstall-reasonpackage\cminds-free.php:147

authwp_ajax_cm-submit-registration-emailpackage\cminds-free.php:148

authwp_ajax_cm-submit-deregistrationpackage\cminds-free.php:149

authwp_ajax_cm-submit-registration-skippackage\cminds-free.php:150

Shortcodes 5

[cminds_free_registration] package\cminds-free.php:54

[cminds_free_guide] package\cminds-free.php:55

[cminds_upgrade_box] package\cminds-free.php:56

[cminds_free_activation] package\cminds-free.php:57

[cminds_pro_ads] shared\classes\CMPopUpBannersShared.php:71

WordPress Hooks 46

actioncurrent_screenbackend\classes\CMPOPFLY_Import_Export.php:15

actioncurrent_screenbackend\classes\CMPOPFLY_Import_Export.php:16

filterquery_varsbackend\classes\CMPopUpBannersBackend.php:111

actionparse_querybackend\classes\CMPopUpBannersBackend.php:112

filtermeta_contentbackend\classes\CMPopUpBannersBackend.php:118

filtermeta_contentbackend\classes\CMPopUpBannersBackend.php:119

filtermeta_contentbackend\classes\CMPopUpBannersBackend.php:120

filtermeta_contentbackend\classes\CMPopUpBannersBackend.php:121

filtermeta_contentbackend\classes\CMPopUpBannersBackend.php:122

filtermeta_contentbackend\classes\CMPopUpBannersBackend.php:123

filtermeta_contentbackend\classes\CMPopUpBannersBackend.php:124

filtermce_cssbackend\classes\CMPopUpBannersBackend.php:130

actioninitbackend\classes\CMPopUpBannersBackend.php:132

actionadmin_initbackend\classes\CMPopUpBannersBackend.php:133

actioncurrent_screenbackend\classes\CMPopUpBannersBackend.php:134

actionsave_postbackend\classes\CMPopUpBannersBackend.php:136

actionadmin_menubackend\classes\CMPopUpBannersBackend.php:138

filterpage_row_actionsbackend\classes\CMPopUpBannersBackend.php:140

filterpost_type_linkbackend\classes\CMPopUpBannersBackend.php:149

filterplugins_loadedbackend\classes\CMPopUpBannersBackend.php:150

actionadd_meta_boxesbackend\classes\CMPopUpBannersBackend.php:155

actionsave_postbackend\classes\CMPopUpBannersBackend.php:156

actionupdate_postbackend\classes\CMPopUpBannersBackend.php:157

actionadmin_noticesbackend\classes\CMPopUpBannersBackend.php:162

actionwp_trash_postbackend\classes\CMPopUpBannersBackend.php:173

actionadmin_bar_menubackend\classes\CMPopUpBannersBackend.php:177

actionadmin_enqueue_scriptsbackend\classes\CMPopUpBannersBackend.php:1179

filterwp_enqueue_scriptsfrontend\classes\CMPopUpBannersFrontend.php:58

actionactivated_pluginpackage\cminds-free.php:31

actionadmin_initpackage\cminds-free.php:33

actionadmin_menupackage\cminds-free.php:34

actionadmin_enqueue_scriptspackage\cminds-free.php:35

actionadmin_enqueue_scriptspackage\cminds-free.php:36

actioncminds_download_sysinfopackage\cminds-free.php:48

actioninitpackage\cminds-free.php:50

actioninitpackage\cminds-free.php:51

filterplugin_row_metapackage\cminds-free.php:59

actionwp_dashboard_setuppackage\cminds-free.php:62

actionadmin_footerpackage\cminds-free.php:157

filterwp_mail_content_typepackage\cminds-free.php:311

filterwp_mail_content_typepackage\cminds-free.php:2082

filterwp_mail_content_typepackage\cminds-free.php:2173

filtercmreg_registration_ajax_responseshared\classes\CMPopUpBannersShared.php:72

actionwp_loadedshared\classes\CMPopUpBannersShared.php:73

actiontemplate_redirectshared\classes\CMPopUpBannersShared.php:74

actionadmin_enqueue_scriptsshared\classes\settings\CMPOPFLY_Settings.php:12

Maintenance & Trust

CM Pop-Up – Create engaging popups to capture attention and boost interaction Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 29, 2026

PHP min version5.2.4

Downloads520K

Community Trust

Rating68/100

Number of ratings13

Active installs9K

Alternatives

CM Pop-Up – Create engaging popups to capture attention and boost interaction Alternatives

WP Popups – WordPress Popup builder

wp-popups-lite

WP Popups is the best popup maker for WordPress. Easy but powerful plugin with display filters, scroll-triggered popups, and Gutenberg block editor.

30K 6 CVEs

WP Popup Builder – Popup Forms and Marketing Lead Generation

wp-popup-builder

WP Popup Builder is a powerful tool to create amazing popup for your site. Its drag and drop feature help to create form in very easy step without hav …

3K 1 unpatched

Modal Popup Box: A Flexible Pop Up Box Builder

modal-popup-box

Create and manage a customizable pop up box on your WordPress website. Embed anything from videos and images to forms and shortcodes.

2K 2 CVEs

Pretty Simple Popup Builder

pretty-simple-popup-builder

Build perfect popups in minutes. Modern, responsive templates and simple setup. Age verify compatible option.

200 2 CVEs

Popup Builder – Create highly converting, mobile friendly marketing popups.

popup-builder

Increase Sales, Lead Generation, Conversion rates and receive good Call to Action rates with smart WordPress popup plugin.

200K 23 CVEs

Developer Profile

CM Pop-Up – Create engaging popups to capture attention and boost interaction Developer Profile

CreativeMindsSolutions

19 plugins · 22K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

546 days

View full developer profile

Detection Fingerprints

How We Detect CM Pop-Up – Create engaging popups to capture attention and boost interaction

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/cm-pop-up-banners/package/css/style.css/wp-content/plugins/cm-pop-up-banners/package/css/font-awesome.min.css/wp-content/plugins/cm-pop-up-banners/package/js/cookie.min.js/wp-content/plugins/cm-pop-up-banners/package/js/moment.min.js/wp-content/plugins/cm-pop-up-banners/package/js/script.js/wp-content/plugins/cm-pop-up-banners/package/js/cookie.js/wp-content/plugins/cm-pop-up-banners/package/js/moment.js/wp-content/plugins/cm-pop-up-banners/package/js/free.js

Generator Patterns

CM Pop-Up Banners for WordPress

Version Parameters

/wp-content/plugins/cm-pop-up-banners/package/js/script.js?ver=/wp-content/plugins/cm-pop-up-banners/package/js/cookie.min.js?ver=/wp-content/plugins/cm-pop-up-banners/package/js/moment.min.js?ver=/wp-content/plugins/cm-pop-up-banners/package/css/style.css?ver=/wp-content/plugins/cm-pop-up-banners/package/css/font-awesome.min.css?ver=/wp-content/plugins/cm-pop-up-banners/package/js/free.js?ver=

HTML / DOM Fingerprints

CSS Classes

cm-popup-banner-wrappercm-popup-banner-contentcm-popup-banner-closecm-popup-banner-overlay

HTML Comments

+28 more

Data Attributes

data-cm-popup-iddata-cm-popup-options

JS Globals

CMPopUpBannerscmPopUpBannersVars

REST Endpoints

/wp-json/cm-popup-banners/v1/track

FAQ

CM Pop-Up – Create engaging popups to capture attention and boost interaction Security & Risk Analysis

Is CM Pop-Up – Create engaging popups to capture attention and boost interaction Safe to Use in 2026?

Generally Safe

Key Concerns

CM Pop-Up – Create engaging popups to capture attention and boost interaction Security Vulnerabilities

CVEs by Year

Severity Breakdown

CM Pop-Up – Create engaging popups to capture attention and boost interaction Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

CM Pop-Up – Create engaging popups to capture attention and boost interaction Attack Surface

AJAX Handlers 9

Shortcodes 5

CM Pop-Up – Create engaging popups to capture attention and boost interaction Maintenance & Trust

Maintenance Signals

Community Trust

CM Pop-Up – Create engaging popups to capture attention and boost interaction Alternatives

WP Popups – WordPress Popup builder

WP Popup Builder – Popup Forms and Marketing Lead Generation

Modal Popup Box: A Flexible Pop Up Box Builder

Pretty Simple Popup Builder

Popup Builder – Create highly converting, mobile friendly marketing popups.

CM Pop-Up – Create engaging popups to capture attention and boost interaction Developer Profile

How We Detect CM Pop-Up – Create engaging popups to capture attention and boost interaction

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about CM Pop-Up – Create engaging popups to capture attention and boost interaction