WP-Safety

HashBar – Announcement, Notification Bar & Popup Campaign Security & Risk Analysis

wordpress.org/plugins/hashbar-wp-notification-bar

Create Announcement Bars, Notification Bars & Popup Campaigns with countdown timers, A/B testing, smart targeting & analytics.

7K active installs v1.9.3 PHP + WP 5.0+ Updated Mar 9, 2026
announcement-barcountdown-timerlead-capturenotification-barpopup
99
A · Safe
CVEs total2
Unpatched0
Last CVEDec 26, 2023
Plugin page Download
Safety Verdict

Is HashBar – Announcement, Notification Bar & Popup Campaign Safe to Use in 2026?

Generally Safe

Score 99/100

HashBar – Announcement, Notification Bar & Popup Campaign has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 26, 2023Updated 25d ago
Risk Assessment

The hashbar-wp-notification-bar plugin exhibits a mixed security posture. While it demonstrates good practices such as a high percentage of prepared SQL statements and properly escaped outputs, several concerning areas require attention. The presence of a significant attack surface with a notable number of unprotected entry points, particularly AJAX handlers and REST API routes, is a primary concern. Additionally, the use of the `unserialize` function, even with good output escaping elsewhere, introduces a potential risk if user-controlled data is ever processed without strict validation and sanitization.

The vulnerability history, with two past medium-severity CVEs related to Cross-Site Scripting (XSS), suggests a recurring pattern of input sanitization weaknesses. Although there are no currently unpatched vulnerabilities, the historical context coupled with the static analysis findings of unsanitized paths in taint flows warrants caution. The presence of one high-severity taint flow, even if not classified as critical, indicates a potentially serious vulnerability that needs immediate investigation. The plugin has strengths in its handling of SQL and output, but the attack surface and historical XSS issues are significant weaknesses.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Dangerous function: unserialize
  • High severity taint flow with unsanitized paths
  • Past medium severity XSS vulnerabilities
  • Limited nonce checks
Vulnerabilities
2

HashBar – Announcement, Notification Bar & Popup Campaign Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-51372medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HashBar – WordPress Notification Bar <= 1.4.1 - Authenticated (Author+) Stored Cross-Site Scripting

Dec 26, 2023 Patched in 1.4.2 (28d)
CVE-2022-4650medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HashBar – WordPress Notification Bar <= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 27, 2022 Patched in 1.3.6 (392d)
Code Analysis
Analyzed Mar 16, 2026

HashBar – Announcement, Notification Bar & Popup Campaign Code Analysis

Dangerous Functions
9
Raw SQL Queries
24
116 prepared
Unescaped Output
97
916 escaped
Nonce Checks
5
Capability Checks
59
File Operations
1
External Requests
14
Bundled Libraries
0

Dangerous Functions Found

unserialize$unserialized = unserialize($value);admin\settings-panel\api\announcement-bar-api.php:626
unserialize$unserialized = unserialize($value);admin\settings-panel\api\announcement-bar-api.php:648
unserialize$unserialized = unserialize($value);admin\settings-panel\api\announcement-bar-api.php:668
unserialize$unserialized = unserialize($value);admin\settings-panel\api\announcement-bar-api.php:704
unserialize$unserialized = unserialize($value);admin\settings-panel\api\announcement-bar-api.php:725
unserialize$devices = unserialize( $devices );inc\announcement-bar-frontend.php:317
unserialize$page_ids = unserialize( $page_ids );inc\announcement-bar-frontend.php:393
unserialize$excluded_ids = unserialize( $excluded_ids );inc\announcement-bar-frontend.php:417
unserialize$target_countries = unserialize( $target_countries );inc\announcement-bar-frontend.php:454

SQL Query Safety

83% prepared140 total queries

Output Escaping

90% escaped1013 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

5 flows3 with unsanitized paths
__construct (admin\class-diagnostic-data.php:81)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

HashBar – Announcement, Notification Bar & Popup Campaign Attack Surface

Entry Points61
Unprotected6

AJAX Handlers 7

authwp_ajax_hashbar_plugin_deactivation_feedbackadmin\class-deactivation.php:31
authwp_ajax_hashbar_diagnostic_dataadmin\class-diagnostic-data.php:97
authwp_ajax_hashbar_noticesadmin\class-notices.php:52
authwp_ajax_hashbar_get_pages_postsadmin\settings-panel\api\pages-posts-ajax.php:102
noprivwp_ajax_hashbar_get_pages_postsadmin\settings-panel\api\pages-posts-ajax.php:103
authwp_ajax_hashbar_analyticsinc\analytical-store.php:31
noprivwp_ajax_hashbar_analyticsinc\analytical-store.php:32

REST API Routes 52

POST/wp-json/hashbar/v1/ab-test/trackadmin\settings-panel\api\ab-test-api.php:34
GET/wp-json/hashbar/v1/ab-test/stats/(?P<bar_id>\d+)admin\settings-panel\api\ab-test-api.php:70
GET/wp-json/hashbar/v1/ab-test/winner/(?P<bar_id>\d+)admin\settings-panel\api\ab-test-api.php:91
GET/wp-json/hashbar/v1/sidebar-contentadmin\settings-panel\api\admin-dashboard-api.php:15
GET/wp-json/hashbar/v1/notificationsadmin\settings-panel\api\admin-dashboard-api.php:24
DELETE/wp-json/hashbar/v1/notifications/(?P<id>\d+)admin\settings-panel\api\admin-dashboard-api.php:33
PUT/wp-json/hashbar/v1/notifications/(?P<id>\d+)admin\settings-panel\api\admin-dashboard-api.php:41
GET/wp-json/hashbar/v1/pagesadmin\settings-panel\api\admin-dashboard-api.php:50
GET/wp-json/hashbar/v1/postsadmin\settings-panel\api\admin-dashboard-api.php:59
POST/wp-json/hashbar/v1/update-dashboard-settingsadmin\settings-panel\api\admin-dashboard-api.php:68
GET/wp-json/hashbar/v1/analyticsadmin\settings-panel\api\admin-dashboard-api.php:77
POST/wp-json/hashbar/v1/reset-settingsadmin\settings-panel\api\admin-dashboard-api.php:86
POST/wp-json/hashbar/v1/duplicate-postadmin\settings-panel\api\admin-dashboard-api.php:95
GET/wp-json/hashbar/v1/announcement-analytics/overviewadmin\settings-panel\api\announcement-analytics-api.php:25
GET/wp-json/hashbar/v1/announcement-analytics/devicesadmin\settings-panel\api\announcement-analytics-api.php:38
GET/wp-json/hashbar/v1/announcement-analytics/pagesadmin\settings-panel\api\announcement-analytics-api.php:51
GET/wp-json/hashbar/v1/announcement-analytics/countriesadmin\settings-panel\api\announcement-analytics-api.php:64
GET/wp-json/hashbar/v1/announcement-analytics/timelineadmin\settings-panel\api\announcement-analytics-api.php:77
GET/wp-json/hashbar/v1/announcement-analytics/exportadmin\settings-panel\api\announcement-analytics-api.php:90
GET/wp-json/hashbar/v1/announcement-barsadmin\settings-panel\api\announcement-bar-api.php:23
POST/wp-json/hashbar/v1/announcement-barsadmin\settings-panel\api\announcement-bar-api.php:32
GET/wp-json/hashbar/v1/announcement-bars/(?P<id>\d+)admin\settings-panel\api\announcement-bar-api.php:41
PUT/wp-json/hashbar/v1/announcement-bars/(?P<id>\d+)admin\settings-panel\api\announcement-bar-api.php:57
DELETE/wp-json/hashbar/v1/announcement-bars/(?P<id>\d+)admin\settings-panel\api\announcement-bar-api.php:73
POST/wp-json/hashbar/v1/announcement-bars/(?P<id>\d+)/duplicateadmin\settings-panel\api\announcement-bar-api.php:89
GET/wp-json/hashbar/v1/announcement-bars/templatesadmin\settings-panel\api\announcement-bar-api.php:105
GET/wp-json/hashbar/v1/pages-postsadmin\settings-panel\api\announcement-bar-api.php:114
GET/wp-json/hashbar/v1/announcement-bars/(?P<id>\d+)/debug-geoadmin\settings-panel\api\announcement-bar-api.php:123
POST/wp-json/hashbar/v1/popup-ab-test/trackadmin\settings-panel\api\popup-ab-test-api.php:27
GET/wp-json/hashbar/v1/popup-ab-test/stats/(?P<popup_id>\d+)admin\settings-panel\api\popup-ab-test-api.php:62
GET/wp-json/hashbar/v1/popup-ab-test/winner/(?P<popup_id>\d+)admin\settings-panel\api\popup-ab-test-api.php:83
POST/wp-json/hashbar/v1/popup-ab-test/assignadmin\settings-panel\api\popup-ab-test-api.php:104
GET/wp-json/hashbar/v1/popup-analytics/overviewadmin\settings-panel\api\popup-analytics-api.php:24
GET/wp-json/hashbar/v1/popup-analytics/devicesadmin\settings-panel\api\popup-analytics-api.php:37
GET/wp-json/hashbar/v1/popup-analytics/pagesadmin\settings-panel\api\popup-analytics-api.php:50
GET/wp-json/hashbar/v1/popup-analytics/countriesadmin\settings-panel\api\popup-analytics-api.php:63
GET/wp-json/hashbar/v1/popup-analytics/timelineadmin\settings-panel\api\popup-analytics-api.php:76
GET/wp-json/hashbar/v1/popup-analytics/exportadmin\settings-panel\api\popup-analytics-api.php:89
GET/wp-json/hashbar/v1/popup-analytics/variantsadmin\settings-panel\api\popup-analytics-api.php:102
GET/wp-json/hashbar/v1/popup-campaignsadmin\settings-panel\api\popup-campaign-api.php:32
POST/wp-json/hashbar/v1/popup-campaignsadmin\settings-panel\api\popup-campaign-api.php:41
GET/wp-json/hashbar/v1/popup-campaigns/(?P<id>\d+)admin\settings-panel\api\popup-campaign-api.php:50
PUT/wp-json/hashbar/v1/popup-campaigns/(?P<id>\d+)admin\settings-panel\api\popup-campaign-api.php:66
DELETE/wp-json/hashbar/v1/popup-campaigns/(?P<id>\d+)admin\settings-panel\api\popup-campaign-api.php:82
POST/wp-json/hashbar/v1/popup-campaigns/(?P<id>\d+)/duplicateadmin\settings-panel\api\popup-campaign-api.php:98
GET/wp-json/hashbar/v1/popup-campaigns/templatesadmin\settings-panel\api\popup-campaign-api.php:114
GET/wp-json/hashbar/v1/popup-campaigns/available-formsadmin\settings-panel\api\popup-campaign-api.php:123
POST/wp-json/hashbar/v1/popup-campaigns/mailchimp-listsadmin\settings-panel\api\popup-campaign-api.php:132
GET/wp-json/hashbar/v1/popup-campaigns/woo-couponsadmin\settings-panel\api\popup-campaign-api.php:141
POST/wp-json/hashbar/v1/announcement-analytics/batchinc\announcement-analytics-processor.php:45
POST/wp-json/hashbar/v1/popup-analytics/batchinc\popup-analytics-processor.php:44
POST/wp-json/hashbar/v1/popup-campaigns/(?P<id>\d+)/submitinc\popup-campaign-form-handler.php:31

Shortcodes 2

[hashbar_btn] inc\shortcode.php:18
[hashbar_countdown] inc\shortcode.php:43
WordPress Hooks 78
actionadmin_footeradmin\class-deactivation.php:30
actionplugins_loadedadmin\class-diagnostic-data.php:107
actionadmin_headadmin\class-diagnostic-data.php:117
actionadmin_footeradmin\class-diagnostic-data.php:118
actionadmin_noticesadmin\class-notices.php:49
actionhashbar_admin_noticesadmin\class-notices.php:50
actionadmin_footeradmin\class-notices.php:51
actionadmin_enqueue_scriptsadmin\Hashbar_Trial.php:70
actionadmin_initadmin\Hashbar_Trial.php:71
actionadmin_print_scriptsadmin\Hashbar_Trial.php:343
actionadmin_print_footer_scriptsadmin\Hashbar_Trial.php:344
actionhashbar_admin_noticesadmin\Hashbar_Trial.php:348
actionadmin_footeradmin\Hashbar_Trial.php:352
actionadmin_footeradmin\Hashbar_Trial.php:353
actionadmin_menuadmin\plugin-options.php:2
actionadmin_menuadmin\plugin-options.php:3
actionadmin_initadmin\plugin-options.php:4
actionadmin_footeradmin\plugin-options.php:27
actionrest_api_initadmin\settings-panel\api\ab-test-api.php:293
filterrest_authentication_errorsadmin\settings-panel\api\ab-test-api.php:299
actionrest_api_initadmin\settings-panel\api\admin-dashboard-api.php:104
actionrest_api_initadmin\settings-panel\api\announcement-analytics-api.php:16
actionrest_api_initadmin\settings-panel\api\announcement-bar-api.php:892
actionrest_api_initadmin\settings-panel\api\changelog-api.php:35
actionrest_api_initadmin\settings-panel\api\popup-ab-test-api.php:543
filterrest_authentication_errorsadmin\settings-panel\api\popup-ab-test-api.php:548
actionrest_api_initadmin\settings-panel\api\popup-analytics-api.php:15
actionrest_api_initadmin\settings-panel\api\popup-campaign-api.php:1213
actionadmin_menuadmin\settings-panel\settings-panel.php:35
actionadmin_enqueue_scriptsadmin\settings-panel\settings-panel.php:36
actionadmin_footeradmin\settings-panel\settings-panel.php:37
actionadmin_headadmin\settings-panel\settings-panel.php:114
filterscript_loader_tagadmin\settings-panel\settings-panel.php:162
actioninitadmin\settings-panel\settings-panel.php:296
actionwp_trash_postinc\analytical-store.php:33
actionrest_api_initinc\announcement-analytics-processor.php:37
filterrest_authentication_errorsinc\announcement-analytics-processor.php:377
actioninitinc\announcement-bar-cpt.php:68
actioninitinc\announcement-bar-cpt.php:750
actionwpinc\announcement-bar-frontend.php:52
actioninitinc\class-manage-blocks.php:32
actionenqueue_block_assetsinc\class-manage-blocks.php:33
actionenqueue_block_editor_assetsinc\class-manage-blocks.php:34
filterblock_categories_allinc\class-manage-blocks.php:37
filterblock_categoriesinc\class-manage-blocks.php:39
actioninitinc\custom-posts.php:58
actionadmin_footerinc\metabox.php:2
actionrest_api_initinc\popup-analytics-processor.php:36
filterrest_authentication_errorsinc\popup-analytics-processor.php:478
actioninitinc\popup-campaign-cpt.php:81
actioninitinc\popup-campaign-cpt.php:1068
actionadmin_initinc\popup-campaign-database.php:243
actionrest_api_initinc\popup-campaign-form-handler.php:24
actionwpinc\popup-campaign-frontend.php:61
actionwp_footerinc\popup-campaign-frontend.php:83
actionwp_footerinc\popup-campaign-frontend.php:739
filtermce_buttonsinc\shortcode.php:4
filtermce_external_pluginsinc\shortcode.php:11
actioninitinit.php:49
actionrest_api_initinit.php:73
actionin_admin_headerinit.php:87
actionadmin_initinit.php:127
actionadmin_initinit.php:153
actionadmin_initinit.php:166
actionadmin_enqueue_scriptsinit.php:192
actionplugins_loadedinit.php:297
actioninitinit.php:327
actioninitinit.php:384
actionenqueue_block_assetsinit.php:389
actionwp_enqueue_scriptsinit.php:392
actionadmin_footerinit.php:459
actionwp_footerinit.php:469
filtermanage_wphash_ntf_bar_posts_columnsinit.php:958
actionmanage_wphash_ntf_bar_posts_custom_columninit.php:967
actioninitinit.php:983
actionsave_postinit.php:1007
actionadmin_footerinit.php:1016
actionwp_loadedinit.php:1038
Maintenance & Trust

HashBar – Announcement, Notification Bar & Popup Campaign Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version
Downloads334K

Community Trust

Rating88/100
Number of ratings31
Active installs7K
Alternatives

HashBar – Announcement, Notification Bar & Popup Campaign Alternatives

Icegram Engage – Popups, Optins, CTAs & lot more…

Icegram Engage – Popups, Optins, CTAs & lot more…

icegram

A
92

Create popups, opt-in forms, and call-to-action messages to capture leads and engage visitors on your WordPress site.

20K 18 CVEs
Lightweight High Performance Sticky Bar

Lightweight High Performance Sticky Bar

lightweight-high-performance-sticky-bar

A
100

Add a customizable sticky notification bar with countdown functionality to your website with minimal performance impact.

0 No CVEs
MAU Top Bar

MAU Top Bar

mau-top-bar

A
100

Short Description

0 No CVEs
Stella Announcement Bar

Stella Announcement Bar

stella-announcement-bar

A
100

A lightweight, high-conversion announcement bar for WordPress. Perfectly designed for AI and SaaS startup landing pages but compatible with any theme.

0 No CVEs
Smart Popup by Supsystic

Smart Popup by Supsystic

popup-by-supsystic

A
91

Create targeted popups for lead capture, event notifications, announcements, and promotions — shown at the right time without disrupting your visitors &hellip;

10K 8 CVEs
Developer Profile

HashBar – Announcement, Notification Bar & Popup Campaign Developer Profile

DevItems

13 plugins · 179K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
93 days
View full developer profile
Detection Fingerprints

How We Detect HashBar – Announcement, Notification Bar & Popup Campaign

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hashbar-wp-notification-bar/assets/images/logo.png

HTML / DOM Fingerprints

CSS Classes
hashbar-review-notice-wraphashbar-rating-notice-logohashbar-review-notice-contenthashbar-review-notice-actionhashbar-review-noticehashbar-notice-close
Data Attributes
data-already-did
REST Endpoints
/wp-json/plugins/v1/register-routes
FAQ

Frequently Asked Questions about HashBar – Announcement, Notification Bar & Popup Campaign