WP-Safety

Nelio Popups Security & Risk Analysis

wordpress.org/plugins/nelio-popups

An intuitive popup designer based on open WordPress technologies

1K active installs v1.3.6 PHP 7.4+ WP 6.6+ Updated Jan 29, 2026
block-editorconversionexit-intentmodalpopup
98
A · Safe
CVEs total2
Unpatched0
Last CVEJan 29, 2026
Plugin page Download
Safety Verdict

Is Nelio Popups Safe to Use in 2026?

Generally Safe

Score 98/100

Nelio Popups has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Jan 29, 2026Updated 3mo ago
Risk Assessment

The static analysis of nelio-popups v1.3.6 reveals a generally good security posture, with no identified attack surface points, dangerous functions, or critical/high severity taint flows. The plugin demonstrates strong adherence to secure coding practices, evident in the use of prepared statements for all SQL queries, a high percentage of properly escaped output, and the presence of nonce and capability checks. The single file operation and external HTTP request are not inherently risky without further context but warrant observation.

However, the vulnerability history is a significant concern. The plugin has two known medium severity CVEs, and while currently unpatched vulnerabilities are reported as zero, the past existence of these issues, specifically related to Missing Authorization and Cross-site Scripting, suggests a history of potential weaknesses. The most recent vulnerability being dated 2026-01-29 is likely a placeholder or typo, but if it reflects actual past vulnerabilities, it indicates the need for continued vigilance. The pattern of medium severity vulnerabilities, even if patched, points to areas where the development team might need to reinforce security review processes.

In conclusion, nelio-popups v1.3.6 benefits from a clean bill of health in its current code analysis regarding direct exploits. The strengths lie in its use of prepared statements and output escaping. The primary weakness stems from its past vulnerability history, suggesting a need for ongoing security audits and potentially more robust development practices to prevent recurring medium severity issues.

Key Concerns

  • Past medium severity vulnerabilities
  • 1 file operation found
  • 1 nonce check found
  • 2 capability checks found
Vulnerabilities
2 published

Nelio Popups Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-25016medium · 4.3Missing Authorization

Nelio Popups <= 1.3.5 - Missing Authorization

Jan 29, 2026 Patched in 1.3.6 (5d)
CVE-2025-66111medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nelio Popups <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 10, 2025 Patched in 1.3.1 (3d)
Version History

Nelio Popups Release Timeline

v1.3.6Current
v1.3.51 CVE
CVE-2026-25016
v1.3.41 CVE
CVE-2026-25016
v1.3.31 CVE
CVE-2026-25016
v1.3.21 CVE
CVE-2026-25016
v1.3.11 CVE
CVE-2026-25016
v1.3.02 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.82 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.72 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.62 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.52 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.42 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.32 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.22 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.12 CVEs
CVE-2026-25016 CVE-2025-66111
v1.2.02 CVEs
CVE-2026-25016 CVE-2025-66111
v1.1.32 CVEs
CVE-2026-25016 CVE-2025-66111
v1.1.12 CVEs
CVE-2026-25016 CVE-2025-66111
v1.1.02 CVEs
CVE-2026-25016 CVE-2025-66111
v1.0.272 CVEs
CVE-2026-25016 CVE-2025-66111
Code Analysis
Analyzed Mar 16, 2026

Nelio Popups Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
12 escaped
Nonce Checks
1
Capability Checks
2
File Operations
1
External Requests
0
Bundled Libraries
0

Output Escaping

92% escaped13 total outputs
Attack Surface

Nelio Popups Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 30
filterwpseo_sitemap_exclude_post_typeincludes\compat.php:10
filterwp_sitemaps_post_typesincludes\compat.php:12
filterwp_robotsincludes\compat.php:20
actionwp_enqueue_scriptsincludes\frontend\public.php:37
actioninitincludes\frontend\public.php:39
actionwp_headincludes\frontend\public.php:44
actionwp_footerincludes\frontend\public.php:78
filternelio_popups_active_popupsincludes\frontend\targets.php:29
filternelio_popups_does_content_target_applyincludes\frontend\targets.php:175
filternelio_popups_does_excluded-content_target_applyincludes\frontend\targets.php:185
actionenqueue_block_editor_assetsincludes\gutenberg.php:60
actioninitincludes\gutenberg.php:88
actionadmin_menuincludes\menu.php:40
actionwpmu_new_blogincludes\popup-capabilities.php:9
actionenqueue_block_editor_assetsincludes\popup-editor.php:36
actionenqueue_block_assetsincludes\popup-editor.php:46
actioninitincludes\popups.php:66
filterpreview_post_linkincludes\popups.php:79
actioninitincludes\popups.php:137
actionrest_api_initincludes\popups.php:161
filtermanage_nelio_popup_posts_columnsincludes\popups.php:174
actionmanage_nelio_popup_posts_custom_columnincludes\popups.php:201
filterpost_row_actionsincludes\popups.php:215
actionwp_before_admin_bar_renderincludes\popups.php:224
actionadmin_enqueue_scriptsincludes\popups.php:242
filterallowed_block_types_allincludes\popups.php:260
filterrest_page_queryincludes\rest.php:11
filterrest_post_queryincludes\rest.php:12
filterposts_whereincludes\rest.php:26
actionplugins_loadedincludes\update.php:13
Maintenance & Trust

Nelio Popups Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 29, 2026
PHP min version7.4
Downloads15K

Community Trust

Rating100/100
Number of ratings8
Active installs1K
Alternatives

Nelio Popups Alternatives

Smart Popup by Supsystic

Smart Popup by Supsystic

popup-by-supsystic

A
91

Create targeted popups for lead capture, event notifications, announcements, and promotions — shown at the right time without disrupting your visitors &hellip;

10K 8 CVEs
Exit-Intent Popup

Exit-Intent Popup

exit-intent-popup

A
92

A powerful exit-intent popup plugin that helps retain visitors and boost conversions by offering discounts before they leave.

50 No CVEs
CocoPopup – Gutenberg Popup Builder for WordPress

CocoPopup – Gutenberg Popup Builder for WordPress

cocopopup

A
92

Create powerful popups in WordPress with CocoPopup – a flexible Gutenberg popup builder for marketing, WooCommerce & more.

40 No CVEs
Exit Intent Popups & Promo Bars by MaxTraffic

Exit Intent Popups & Promo Bars by MaxTraffic

exit-intent-pop-ups-by-maxtraffic

A
85

Make the most of your existing traffic! Generate leads, re-engage and sell more.

10 No CVEs
2fox4 Custom Popup

2fox4 Custom Popup

2fox4-custom-popup

A
100

Create highly customisable, conversion-focused popup windows right inside the Gutenberg editor – no external services required.

0 No CVEs
Developer Profile

Nelio Popups Developer Profile

Nelio Software

12 plugins · 12K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
760 days
View full developer profile
Detection Fingerprints

How We Detect Nelio Popups

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nelio-popups/assets/css/block-customizations.css/wp-content/plugins/nelio-popups/assets/css/public.css/wp-content/plugins/nelio-popups/assets/js/public.js
Script Paths
/wp-content/plugins/nelio-popups/assets/js/public.js
Version Parameters
nelio-popups/assets/css/block-customizations.css?ver=nelio-popups/assets/css/public.css?ver=nelio-popups/assets/js/public.js?ver=

HTML / DOM Fingerprints

CSS Classes
nelio-popup-storenelio-popup-size--is-auto-normalnelio-popup-size--is-auto-widenelio-popup-size--is-auto-fullscreennelio-popup-size--is-customnelio-popup-size--is-fixednelio-popup-content
Data Attributes
nelio-popup-preview
JS Globals
NelioPopupsFrontendSettings
FAQ

Frequently Asked Questions about Nelio Popups