Does Magic Popups – Custom and Lightweight Popups have any unpatched vulnerabilities?

No. All known vulnerabilities in Magic Popups – Custom and Lightweight Popups have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Magic Popups – Custom and Lightweight Popups compatible with WordPress 6.0.11?

According to WordPress.org data, Magic Popups – Custom and Lightweight Popups 1.0.2 has been tested up to WordPress 6.0.11. Check the plugin's changelog for the latest compatibility information.

How often is Magic Popups – Custom and Lightweight Popups updated?

Magic Popups – Custom and Lightweight Popups was last updated on Sep 3, 2022. Frequent updates are generally a positive security signal.

What is Magic Popups – Custom and Lightweight Popups's security score?

Magic Popups – Custom and Lightweight Popups has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Magic Popups – Custom and Lightweight Popups Security & Risk Analysis

wordpress.org/plugins/magic-popups-customizable-and-lightweight

Add lightweight and customizable popups to your WordPress site. You can choose to display your popups on specific pages. You can also display the popu …

100 active installs v1.0.2 PHP + WP 4.0.1+ Updated Sep 3, 2022

custompop-uppopuppopupssimple

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Magic Popups – Custom and Lightweight Popups Safe to Use in 2026?

Generally Safe

Score 85/100

Magic Popups – Custom and Lightweight Popups has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago

Risk Assessment

The plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries, has no recorded vulnerabilities, and avoids dangerous functions and file operations. However, a significant concern arises from the presence of 6 AJAX handlers, all of which lack authentication checks. This creates a substantial attack surface where unauthenticated users could potentially trigger arbitrary code execution or manipulate plugin functionality.

The static analysis indicates a lack of robust input validation, as only 50% of output is properly escaped, potentially leading to cross-site scripting (XSS) vulnerabilities if user-supplied data is directly outputted without sanitization. The single nonce check and single capability check are insufficient given the number of unprotected AJAX endpoints.

While the vulnerability history is clean, it's important to note that a lack of past vulnerabilities doesn't guarantee future security. The current code analysis reveals critical areas of weakness that could be exploited. The plugin's strengths lie in its SQL handling and lack of known exploits, but the unprotected AJAX endpoints and potential for XSS are significant risks that need immediate attention.

Key Concerns

Unprotected AJAX handlers
Insufficient output escaping
Limited nonce and capability checks

Vulnerabilities

None known

Magic Popups – Custom and Lightweight Popups Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Magic Popups – Custom and Lightweight Popups Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

16 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

50% escaped32 total outputs

Attack Surface

6 unprotected

Magic Popups – Custom and Lightweight Popups Attack Surface

Entry Points6

Unprotected6

AJAX Handlers 6

authwp_ajax_magic_popups_get_pagesadmin\class-magic-popups-admin.php:107

authwp_ajax_magic_popups_create_popupadmin\class-magic-popups-admin.php:116

authwp_ajax_magic_popups_get_popupsadmin\class-magic-popups-admin.php:188

authwp_ajax_magic_popups_get_popup_by_idadmin\class-magic-popups-admin.php:197

authwp_ajax_magic_popups_update_popupadmin\class-magic-popups-admin.php:244

authwp_ajax_magic_popups_delete_popupadmin\class-magic-popups-admin.php:303

WordPress Hooks 6

actionadmin_enqueue_scriptsincludes\class-magic-popups.php:129

actionadmin_enqueue_scriptsincludes\class-magic-popups.php:130

actionadmin_menuincludes\class-magic-popups.php:131

actionadmin_initincludes\class-magic-popups.php:132

actionwp_enqueue_scriptsincludes\class-magic-popups.php:144

actionwp_enqueue_scriptsincludes\class-magic-popups.php:145

Maintenance & Trust

Magic Popups – Custom and Lightweight Popups Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11

Last updatedSep 3, 2022

PHP min version

Downloads5K

Community Trust

Rating100/100

Number of ratings1

Active installs100

Alternatives

Magic Popups – Custom and Lightweight Popups Alternatives

YITH WooCommerce Popup

yith-woocommerce-popup

Create and customize your popup windows using templates carefully designed by YITH.

2K 2 CVEs

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

ays-popup-box

Build flexible popups and modal windows with multiple popup types, triggers, and display controls.

50K 17 CVEs

Poptin – Exit Pop Ups & Email Popups

poptin

100

Free exit intent popup builder, gamified popups with spin the wheel, contact form builder & lead generation pop ups platform for your website. 🎉

20K 1 CVE

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer

decorator-woocommerce-email-customizer

Create and send marketing emails and campaigns. Enable email automations, Popups, spin-a-wheel, sign-up forms, and more. Customize WooCommerce emails.

10K 2 CVEs

Pop-up

pop-up-pop-up

Pop-up Popups

10K 2 CVEs

Developer Profile

Magic Popups – Custom and Lightweight Popups Developer Profile

Matt Fletcher

1 plugin · 100 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Magic Popups – Custom and Lightweight Popups

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/magic-popups-customizable-and-lightweight/admin/dist/style.css/wp-content/plugins/magic-popups-customizable-and-lightweight/admin/dist/main.js

Script Paths

/wp-content/plugins/magic-popups-customizable-and-lightweight/admin/dist/main.js

Version Parameters

magic-popups-customizable-and-lightweight/admin/dist/style.css?ver=magic-popups-customizable-and-lightweight/admin/dist/main.js?ver=

HTML / DOM Fingerprints

CSS Classes

magic-popups-admin-menu

Data Attributes

data-magic-popup

JS Globals

magic_popups_ajax

REST Endpoints

/wp-json/magic-popups/v1/get-pages/wp-json/magic-popups/v1/create-popup/wp-json/magic-popups/v1/get-popups/wp-json/magic-popups/v1/get-popup-by-id/wp-json/magic-popups/v1/update-popup/wp-json/magic-popups/v1/delete-popup/wp-json/magic-popups/v1/get-settings/wp-json/magic-popups/v1/update-settings

FAQ