WP-Safety

Depicter — Popup & Slider Builder Security & Risk Analysis

wordpress.org/plugins/depicter

Build Stunning Slider and Popup. Exit intent Popup, Image slider carousel, video slider carousel, post slider carousel, product slider, promote popup

90K active installs v4.7.1 PHP 7.4.0+ WP 5.9+ Updated Jan 14, 2026
carousel-sliderpopuppost-slidersliderslideshow
89
A · Safe
CVEs total14
Unpatched0
Last CVEJan 5, 2026
Plugin page Download
Safety Verdict

Is Depicter — Popup & Slider Builder Safe to Use in 2026?

Generally Safe

Score 89/100

Depicter — Popup & Slider Builder has a strong security track record. Known vulnerabilities have been patched promptly.

14 known CVEsLast CVE: Jan 5, 2026Updated 2mo ago
Risk Assessment

The Depicter plugin v4.7.1 presents a concerning security posture, primarily due to its significant attack surface exposed without proper authentication checks. While the use of prepared statements for all SQL queries and the presence of nonce and capability checks are positive indicators, these strengths are heavily overshadowed by the fact that all three identified REST API routes lack permission callbacks. This means any authenticated user, regardless of their role, could potentially interact with these endpoints, leading to unauthorized actions or information disclosure.

The static analysis reveals a high number of total entry points (3), all of which are unprotected. Although no direct taint flows with unsanitized paths or dangerous functions were found, this does not negate the inherent risk of unprotected entry points. The history of 14 known CVEs, including high and medium severity vulnerabilities like SQL Injection, CSRF, Missing Authorization, and XSS, further exacerbates the risk. The fact that there are currently no unpatched vulnerabilities is a positive, but the sheer volume and types of past vulnerabilities suggest a recurring pattern of security weaknesses in the plugin's development.

In conclusion, Depicter v4.7.1 exhibits a critical security weakness due to unprotected REST API endpoints. While some good security practices are present, the lack of authorization on a significant portion of its attack surface, combined with a history of diverse and severe vulnerabilities, makes it a high-risk plugin. The plugin's strength lies in its SQL practices and some checks, but these are insufficient to mitigate the risks posed by its unprotected entry points and historical vulnerability profile.

Key Concerns

  • REST API routes without permission callbacks
  • High number of total entry points, all unprotected
  • 12 medium severity CVEs in vulnerability history
  • 2 high severity CVEs in vulnerability history
  • Output escaping not properly implemented for 34% of outputs
Vulnerabilities
14

Depicter — Popup & Slider Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
8 CVEs in 2024
2024
3 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
12

14 total CVEs

CVE-2025-11370medium · 5.3Missing Authorization

Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates

Jan 5, 2026 Patched in 4.7.0 (1d)
CVE-2025-68558medium · 5.3Missing Authorization

Depicter Slider <= 4.0.4 - Missing Authorization

Jan 5, 2026 Patched in 4.0.5 (10d)
CVE-2025-11373medium · 4.3Missing Authorization

Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload

Nov 4, 2025 Patched in 4.0.5 (1d)
CVE-2025-8383medium · 4.3Cross-Site Request Forgery (CSRF)

Depicter <= 4.0.4 - Cross-Site Request Forgery

Oct 30, 2025 Patched in 4.0.5 (50d)
CVE-2025-2011high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection via 's' Parameter

May 5, 2025 Patched in 3.6.2 (1d)
CVE-2024-4633medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel <= 3.2.1- Authenticated (Author+) Stored Cross-Site Scripting

Dec 5, 2024 Patched in 3.2.2 (2d)
CVE-2024-47359medium · 5.3Missing Authorization

Depicter Slider <= 3.2.2 - Missing Authorization

Sep 30, 2024 Patched in 3.5.0 (11d)
CVE-2024-47381medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Depicter Slider <= 3.2.2 - Authenticated (Editor+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 3.5.0 (11d)
CVE-2024-4389high · 8.8Unrestricted Upload of File with Dangerous Type

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel <= 3.1.1 - Authenticated (Contributor+) Arbitrary File Upload

Aug 13, 2024 Patched in 3.1.2 (1d)
CVE-2024-43161medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Depicter Slider <= 3.1.2 - Authenticated (Editor+) Stored Cross-Site Scripting

Aug 7, 2024 Patched in 3.2.0 (8d)
CVE-2024-37414medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Depicter Slider <= 3.0.2 - Authenticated (Editor+) Stored Cross-Site Scripting

Jun 28, 2024 Patched in 3.1.0 (5d)
CVE-2024-4390medium · 6.5Incorrect Authorization

Depicter <= 3.0.2 - Authenticated (Contributor+) Arbitrary Nonce Generation

Jun 19, 2024 Patched in 3.1.0 (1d)
CVE-2023-6493medium · 4.3Cross-Site Request Forgery (CSRF)

Depicter Slider – Responsive Image Slider, Video Slider & Post Slider <= 2.0.6 - Cross-Site Request Forgery via save

Jan 4, 2024 Patched in 2.0.7 (208d)
CVE-2022-47176medium · 5.4Missing Authorization

Depicter Slider <= 1.9.0 - Missing Authorization on 'make' function

Apr 28, 2023 Patched in 1.9.1 (270d)
Code Analysis
Analyzed Mar 16, 2026

Depicter — Popup & Slider Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
287 prepared
Unescaped Output
33
63 escaped
Nonce Checks
3
Capability Checks
9
File Operations
16
External Requests
3
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

100% prepared287 total queries

Output Escaping

66% escaped96 total outputs
Attack Surface
3 unprotected

Depicter — Popup & Slider Builder Attack Surface

Entry Points3
Unprotected3

REST API Routes 3

GET/wp-json/depicter/v1/dynamic/content-typesapp\src\WordPress\RestApiServiceProvider.php:53
GET/wp-json/depicter/v1/dynamic/content-types/postapp\src\WordPress\RestApiServiceProvider.php:59
GET/wp-json/depicter/v1/dynamic/content-types/productapp\src\WordPress\RestApiServiceProvider.php:65
WordPress Hooks 107
actionafter_setup_themeapp\hooks.php:17
actiondepicter/editor/after/storeapp\hooks.php:34
actiondepicter/editor/after/deleteapp\hooks.php:47
actiondepicter/dashboard/after/deleteapp\hooks.php:61
actiondepicter/editor/after/storeapp\hooks.php:62
actiondepicter/rules/after/storeapp\hooks.php:63
filteraverta/wordpress/sanitize/html/tags/depicter/outputapp\hooks.php:75
filterwp_update_attachment_metadataapp\hooks.php:114
actioninitapp\hooks.php:127
actionpost_updatedapp\hooks.php:128
filterstyle_loader_tagapp\hooks.php:130
filterscript_loader_tagapp\hooks.php:148
actiondelete_attachmentapp\hooks.php:159
actionadmin_initapp\hooks.php:178
actionadmin_initapp\hooks.php:190
filtershow_admin_barapp\hooks.php:199
actioninitapp\hooks.php:202
actionadmin_noticesapp\hooks.php:205
actiondepicter/plugin/updatedapp\hooks.php:236
actionadmin_noticesapp\requirement.php:28
actionadmin_noticesapp\requirement.php:74
actionadmin_menuapp\src\Dashboard\DashboardPage.php:25
actionadmin_enqueue_scriptsapp\src\Dashboard\DashboardPage.php:26
actionadmin_headapp\src\Dashboard\DashboardPage.php:27
actionadmin_initapp\src\Dashboard\DashboardPage.php:28
actionwp_insert_siteapp\src\Database\DatabaseServiceProvider.php:62
actiondepicter/plugin/updatedapp\src\Database\DatabaseServiceProvider.php:63
actionplugins_loadedapp\src\Database\DatabaseServiceProvider.php:65
filterexcerpt_lengthapp\src\DataSources\HandPickedProducts.php:68
filterposts_searchapp\src\DataSources\Posts.php:275
filterposts_clausesapp\src\DataSources\Products.php:137
actionadmin_action_depicterapp\src\Editor\Editor.php:18
actiondepicter/plugin/updatedapp\src\Editor\Editor.php:19
actiondepicter/editor/openapp\src\Editor\Editor.php:20
filtershow_admin_barapp\src\Editor\Editor.php:55
actionwp_headapp\src\Editor\Editor.php:64
actionwp_headapp\src\Editor\Editor.php:65
actionwp_headapp\src\Editor\Editor.php:66
actionwp_headapp\src\Editor\Editor.php:67
actionwp_footerapp\src\Editor\Editor.php:70
filterheartbeat_settingsapp\src\Editor\Editor.php:79
filterwp_titleapp\src\Editor\Editor.php:84
actionwp_enqueue_scriptsapp\src\Editor\EditorAssets.php:15
actionwp_headapp\src\Front\Assets.php:266
filterpre_ksesapp\src\Front\Preview.php:197
actiondepicter/lead/createdapp\src\Integration\Manager.php:10
filterimage_resize_dimensionsapp\src\Media\Image\FileEdit.php:91
filternocache_headersapp\src\Middleware\CacheMiddleware.php:65
filternocache_headersapp\src\Middleware\CacheMiddleware.php:82
actionwp_enqueue_scriptsapp\src\Modules\Beaver\module.php:33
actionwp_enqueue_scriptsapp\src\Modules\Divi\includes\modules\depicter\depicter.php:17
actionelementor/widgets/registerapp\src\Modules\Elementor\Module.php:11
actionelementor/widgets/widgets_registeredapp\src\Modules\Elementor\Module.php:13
actionelementor/editor/after_enqueue_scriptsapp\src\Modules\Elementor\Module.php:16
actionwp_enqueue_scriptsapp\src\Modules\Elementor\Module.php:17
actionadmin_enqueue_scriptsapp\src\Modules\Gutenberg\module.php:9
actionwp_enqueue_scriptsapp\src\Modules\Gutenberg\module.php:10
actionplugins_loadedapp\src\Modules\ModulesServiceProvider.php:18
actioninitapp\src\Modules\ModulesServiceProvider.php:42
actioninitapp\src\Modules\ModulesServiceProvider.php:44
actionwp_enqueue_scriptsapp\src\Modules\ModulesServiceProvider.php:45
actionvc_before_initapp\src\Modules\ModulesServiceProvider.php:47
actioninitapp\src\Modules\ModulesServiceProvider.php:48
actioninitapp\src\Modules\ModulesServiceProvider.php:50
actioninitapp\src\Modules\ModulesServiceProvider.php:52
actionwp_enqueue_scriptsapp\src\Modules\ModulesServiceProvider.php:128
actionwp_enqueue_scriptsapp\src\Modules\ModulesServiceProvider.php:139
actionwp_enqueue_scriptsapp\src\Modules\Oxygen\module.php:10
actionvc_edit_form_fields_after_renderapp\src\Modules\WPBakery\module.php:19
actionwp_headapp\src\Rules\ServiceProvider.php:30
actionwp_footerapp\src\Rules\ServiceProvider.php:52
actioninitapp\src\Services\QueueService.php:13
filtercron_schedulesapp\src\Services\QueueService.php:14
filterwp_kses_uri_attributesapp\src\Utility\Sanitize.php:11
filtersafe_style_cssapp\src\Utility\Sanitize.php:12
filtersafecss_filter_attr_allow_cssapp\src\Utility\Sanitize.php:13
filterplugin_row_metaapp\src\WordPress\AdminServiceProvider.php:64
actionadmin_enqueue_scriptsapp\src\WordPress\AssetsServiceProvider.php:22
actioninitapp\src\WordPress\ContentTypesServiceProvider.php:38
actioninitapp\src\WordPress\ContentTypesServiceProvider.php:39
actioncurrent_screenapp\src\WordPress\DeactivationFeedbackService.php:13
actionadmin_enqueue_scriptsapp\src\WordPress\DeactivationFeedbackService.php:21
actionadmin_footerapp\src\WordPress\DeactivationFeedbackService.php:22
actionadmin_initapp\src\WordPress\PermissionsServiceProvider.php:19
actionplugins_loadedapp\src\WordPress\PermissionsServiceProvider.php:20
actionuser_registerapp\src\WordPress\PermissionsServiceProvider.php:21
filtermembers_get_capabilitiesapp\src\WordPress\PermissionsServiceProvider.php:52
actionadmin_initapp\src\WordPress\PluginServiceProvider.php:43
actionadmin_initapp\src\WordPress\PluginServiceProvider.php:44
filterupdate_plugin_complete_actionsapp\src\WordPress\PluginServiceProvider.php:45
actionwp_enqueue_scriptsapp\src\WordPress\PluginServiceProvider.php:47
actionadmin_bar_menuapp\src\WordPress\PluginServiceProvider.php:49
actionrest_api_initapp\src\WordPress\RestApiServiceProvider.php:44
actiondepicter/document/schedule/publishapp\src\WordPress\SchedulingService.php:11
actiondepicter/document/schedule/draftapp\src\WordPress\SchedulingService.php:12
actiondepicter/document/schedule/clear/cacheapp\src\WordPress\SchedulingService.php:13
actioninitapp\src\WordPress\SessionServiceProvider.php:21
actionwp_enqueue_scriptsapp\src\WordPress\ShortcodesServiceProvider.php:28
filterwp_check_filetype_and_extapp\src\WordPress\SVGServiceProvider.php:21
filterupload_mimesapp\src\WordPress\SVGServiceProvider.php:22
filtersite_status_testsapp\src\WordPress\SystemCheckService.php:10
actionwidgets_initapp\src\WordPress\WidgetsServiceProvider.php:22
actioninitapp\src\WordPress\WPCronServiceProvider.php:30
actiondepicter_check_authorizeapp\src\WordPress\WPCronServiceProvider.php:31
actiondepicter_collect_usage_dataapp\src\WordPress\WPCronServiceProvider.php:32
actionadmin_noticesapp\version.php:50
filterwpemerge_loadedapp\version.php:87

Scheduled Events 5

depicter/document/schedule/publish
depicter/document/schedule/draft
depicter/document/schedule/clear/cache
depicter_check_authorize
depicter_collect_usage_data
Maintenance & Trust

Depicter — Popup & Slider Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 14, 2026
PHP min version7.4.0
Downloads2.0M

Community Trust

Rating94/100
Number of ratings228
Active installs90K
Alternatives

Depicter — Popup & Slider Builder Alternatives

Smart Slider 3

Smart Slider 3

smart-slider-3

A
91

Responsive slider plugin to create sliders in visual editor easily. Build beautiful image slider, layer slider, video slider, post slider, and more.

800K 7 CVEs
Custom Post Slider

Custom Post Slider

custom-post-slider

A
85

Custom Post Slider Plugin Display Post with Owl Slider order by date, title, random... Developer can override HTML or create new layout in their theme &hellip;

300 No CVEs
IG Posts Carousel

IG Posts Carousel

ig-posts-carousel

A
85

Easily add a responsive carousel of recent posts and products to WordPress.

100 No CVEs
Post Slider

Post Slider

posts-slider

A
85

Create beautiful and elegant posts sliders easily in minutes. Supports Default & Custom post types.

100 No CVEs
Advanced Carousel Post Slider

Advanced Carousel Post Slider

carousel-post-slider

A
85

Advanced Carousel Post Slider is a WordPress plugin will help you create nice-looking, responsive and mobile friendly post slider from multiple catego &hellip;

10 No CVEs
Developer Profile

Depicter — Popup & Slider Builder Developer Profile

averta

6 plugins · 310K total installs

59
trust score
Avg Security Score
71/100
Avg Patch Time
250 days
View full developer profile
Detection Fingerprints

How We Detect Depicter — Popup & Slider Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/depicter/app/public/css/app.css/wp-content/plugins/depicter/app/public/css/depicter.css/wp-content/plugins/depicter/app/public/js/app.js/wp-content/plugins/depicter/app/public/js/depicter.js/wp-content/plugins/depicter/app/public/js/editor.js/wp-content/plugins/depicter/app/public/js/helpers.js/wp-content/plugins/depicter/app/public/js/vendors/three.min.js
Script Paths
/wp-content/plugins/depicter/app/public/js/app.js/wp-content/plugins/depicter/app/public/js/editor.js/wp-content/plugins/depicter/app/public/js/helpers.js/wp-content/plugins/depicter/app/public/js/vendors/three.min.js
Version Parameters
depicter/app.css?ver=depicter/depicter.css?ver=depicter/app.js?ver=depicter/depicter.js?ver=depicter/editor.js?ver=depicter/helpers.js?ver=depicter/vendors/three.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
depicter-sliderdepicter-popupdepicter-editor-wrapper
Data Attributes
data-depicter-options
JS Globals
depicterInit
REST Endpoints
/wp-json/depicter/v1/settings/wp-json/depicter/v1/sliders/wp-json/depicter/v1/slider/
Shortcode Output
[depicter_slider[depicter_popup
FAQ

Frequently Asked Questions about Depicter — Popup & Slider Builder