WP-Safety

HollerBox — Fast & Effective Popups & Lead-Generation Security & Risk Analysis

wordpress.org/plugins/holler-box

Get more leads and sales with effective popups that convert! Integrate HollerBox with your favorite CRM and email marketing tools.

3K active installs v2.3.10.1 PHP + WP 5.0+ Updated Aug 7, 2025
emailmarketingoptinpopuppopups
99
A · Safe
CVEs total2
Unpatched0
Last CVESep 1, 2023
Plugin page Download
Safety Verdict

Is HollerBox — Fast & Effective Popups & Lead-Generation Safe to Use in 2026?

Generally Safe

Score 99/100

HollerBox — Fast & Effective Popups & Lead-Generation has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Sep 1, 2023Updated 7mo ago
Risk Assessment

The Holler Box plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for a significant portion of its SQL queries and properly escaping the majority of its output. The absence of dangerous functions and bundled libraries is also a strength. However, there are notable areas of concern, particularly regarding its attack surface. A substantial number of REST API routes lack permission callbacks, creating a wide entry point for potential unauthorized access or manipulation. Furthermore, the taint analysis, while not revealing critical or high severity issues, did identify flows with unsanitized paths, indicating potential vulnerabilities if specific input is not handled carefully.

Key Concerns

  • REST API routes without permission callbacks
  • AJAX handlers without auth checks
  • Flows with unsanitized paths
  • Vulnerability history: Medium severity XSS/SQLi
Vulnerabilities
2

HollerBox — Fast & Effective Popups & Lead-Generation Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-41657medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HollerBox <= 2.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 1, 2023 Patched in 2.3.3 (144d)
CVE-2023-2111medium · 6.6Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

HollerBox <= 2.1.3 - Authenticated (edit_popups+) SQL Injection

May 2, 2023 Patched in 2.1.4 (266d)
Code Analysis
Analyzed Mar 16, 2026

HollerBox — Fast & Effective Popups & Lead-Generation Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
16 prepared
Unescaped Output
12
61 escaped
Nonce Checks
1
Capability Checks
13
File Operations
1
External Requests
11
Bundled Libraries
0

SQL Query Safety

73% prepared22 total queries

Output Escaping

84% escaped73 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
admin_user (includes\class-holler-admin.php:137)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
13 unprotected

HollerBox — Fast & Effective Popups & Lead-Generation Attack Surface

Entry Points14
Unprotected13

AJAX Handlers 1

authwp_ajax_holler_clear_user_stats_cacheincludes\class-holler-admin.php:78

REST API Routes 13

GET/wp-json/hollerboxpopup/(?P<popup_id>\d+)includes\class-holler-api.php:17
GET/wp-json/hollerboxsubmit/(?P<popup_id>\d+)includes\class-holler-api.php:35
GET/wp-json/hollerbox/reportincludes\class-holler-api.php:43
GET/wp-json/hollerboxoptionsincludes\class-holler-api.php:51
GET/wp-json/hollerboxclosedincludes\class-holler-api.php:59
GET/wp-json/hollerboxconversionincludes\class-holler-api.php:67
GET/wp-json/hollerboximpressionincludes\class-holler-api.php:75
GET/wp-json/hollerboxinstallincludes\class-holler-api.php:83
GET/wp-json/hollerboxsettingsincludes\class-holler-api.php:91
GET/wp-json/hollerboxlibraryincludes\class-holler-api.php:99
GET/wp-json/hollerboxlicensingincludes\class-holler-licensing.php:25
GET/wp-json/hollerbox/telemetryincludes\class-holler-telemetry.php:35
GET/wp-json/hollerbox/telemetry/legacyincludes\class-holler-telemetry.php:43
WordPress Hooks 36
actionplugins_loadedholler-box.php:159
filterreplace_editorincludes\class-holler-admin.php:63
actionadmin_action_hollerbox_exportincludes\class-holler-admin.php:65
actionadmin_action_hollerbox_duplicateincludes\class-holler-admin.php:66
actionadmin_menuincludes\class-holler-admin.php:68
actioninitincludes\class-holler-admin.php:69
filtermanage_hollerbox_posts_columnsincludes\class-holler-admin.php:70
actionmanage_hollerbox_posts_custom_columnincludes\class-holler-admin.php:71
filterpost_row_actionsincludes\class-holler-admin.php:72
actionadmin_enqueue_scriptsincludes\class-holler-admin.php:74
actionedit_user_profileincludes\class-holler-admin.php:76
actionshow_user_profileincludes\class-holler-admin.php:77
filterscreen_options_show_screenincludes\class-holler-admin.php:485
actionin_admin_footerincludes\class-holler-admin.php:486
actionrest_api_initincludes\class-holler-api.php:12
actionwpincludes\class-holler-frontend.php:27
actionwp_headincludes\class-holler-frontend.php:28
actionwp_footerincludes\class-holler-frontend.php:29
actionwp_enqueue_scriptsincludes\class-holler-frontend.php:30
filterbody_classincludes\class-holler-frontend.php:31
filtershow_admin_barincludes\class-holler-frontend.php:192
filterqm/processincludes\class-holler-frontend.php:195
actionadmin_bar_menuincludes\class-holler-frontend.php:231
actionwp_mail_failedincludes\class-holler-integrations.php:184
actionrest_api_initincludes\class-holler-licensing.php:20
filterwp_kses_allowed_htmlincludes\class-holler-popup.php:207
actiongh_parse_contact_queryincludes\class-holler-popup.php:505
actiondeleted_postincludes\class-holler-reporting.php:36
actionrest_api_initincludes\class-holler-telemetry.php:12
actioninitincludes\class-holler-telemetry.php:13
actionhollerbox/telemetryincludes\class-holler-telemetry.php:14
actionadmin_initincludes\class-holler-updater.php:6
filterpre_set_site_transient_update_pluginsincludes\Holler_EDD_SL_Plugin_Updater.php:78
filterplugins_apiincludes\Holler_EDD_SL_Plugin_Updater.php:79
actionadmin_initincludes\Holler_EDD_SL_Plugin_Updater.php:82
filterpre_set_site_transient_update_pluginsincludes\Holler_EDD_SL_Plugin_Updater.php:223

Scheduled Events 1

hollerbox/telemetry
Maintenance & Trust

HollerBox — Fast & Effective Popups & Lead-Generation Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 7, 2025
PHP min version
Downloads187K

Community Trust

Rating96/100
Number of ratings32
Active installs3K
Alternatives

HollerBox — Fast & Effective Popups & Lead-Generation Alternatives

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

optinmonster

A
96

🤩 Make popups & optin forms to get more email newsletter subscribers, leads, and sales - #1 most popular popup builder plugin! 🚀

1.0M 6 CVEs
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

popup-maker

A
91

Want to boost sales & marketing efforts? Use your favorite forms & builder. Unlimited popups & impressions, keep your data, no monthly subscription.

700K 18 CVEs
Advanced Popups

Advanced Popups

advanced-popups

A
100

Display high-converting newsletter popups, a cookie notice, or a notification with the light-weight yet feature-rich plugin.

70K 1 CVE
WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer

decorator-woocommerce-email-customizer

A
98

Create and send marketing emails and campaigns. Enable email automations, Popups, spin-a-wheel, sign-up forms, and more. Customize WooCommerce emails.

10K 2 CVEs
Easy Notify Lite

Easy Notify Lite

easy-notify-lite

A
92

The best Popup Builder plugin to display image, video, notify or announcement with very ease and elegant.

400 5 CVEs
Developer Profile

HollerBox — Fast & Effective Popups & Lead-Generation Developer Profile

Adrian Tobey

7 plugins · 6K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
275 days
View full developer profile
Detection Fingerprints

How We Detect HollerBox — Fast & Effective Popups & Lead-Generation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/holler-box/assets/css/holler-box.css/wp-content/plugins/holler-box/assets/js/holler-box.js/wp-content/plugins/holler-box/assets/js/holler-box-admin.js
Script Paths
/wp-content/plugins/holler-box/assets/js/holler-box.js/wp-content/plugins/holler-box/assets/js/holler-box-admin.js
Version Parameters
holler-box/assets/css/holler-box.css?ver=holler-box/assets/js/holler-box.js?ver=holler-box/assets/js/holler-box-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
hollerbox-wrapperhollerbox-overlayhollerbox-popuphollerbox-close
Data Attributes
data-hollerbox-id
JS Globals
HollerBoxholler_box_params
REST Endpoints
/wp-json/hollerbox/v1/popup/wp-json/hollerbox/v1/conversion
FAQ

Frequently Asked Questions about HollerBox — Fast & Effective Popups & Lead-Generation