WP-Safety

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation Security & Risk Analysis

wordpress.org/plugins/optin

Create stunning popups and newsletter forms with WowOptin. Boost your lead generation and sales with advanced targeting and Canva-like flexibility.

1K active installs v1.4.29 PHP 7.4+ WP 6.4+ Updated Mar 12, 2026
email-newsletterlead-generationoptinpop-upspopup
97
A · Safe
CVEs total1
Unpatched0
Last CVEMar 4, 2026
Download
Safety Verdict

Is WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation Safe to Use in 2026?

Generally Safe

Score 97/100

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 4, 2026Updated 22d ago
Risk Assessment

The "optin" plugin v1.4.29 exhibits a generally good security posture with robust practices in SQL query preparation and output escaping, indicating developers are aware of common web vulnerabilities. The vast majority of SQL queries utilize prepared statements, and nearly all output is properly escaped, which significantly reduces the risk of SQL injection and cross-site scripting (XSS) attacks.

However, there are several areas of concern stemming from the attack surface analysis. The presence of 3 AJAX handlers, with one lacking proper authentication checks, presents a direct vulnerability. Similarly, 51 REST API routes with 4 routes lacking permission callbacks create significant authorization bypass opportunities. The single identified high-severity vulnerability in the past, despite being patched, suggests a history of potential authorization issues. While taint analysis shows no critical or high-severity flows, the absence of nonce checks on the unprotected AJAX handler is a notable weakness.

In conclusion, while the plugin has strong foundations in data handling and output sanitization, the unprotected entry points in its AJAX and REST API interfaces are critical security flaws that could lead to unauthorized actions or data breaches. The historical vulnerability also points to a recurring theme of authorization weaknesses. Addressing these unprotected endpoints is paramount to improving the plugin's security.

Key Concerns

  • AJAX handler without auth checks
  • REST API routes without permission callbacks
  • Historical high severity vulnerability (Missing Authorization)
  • Low number of nonce checks relative to entry points
Vulnerabilities
1

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2026-1720high · 8.8Missing Authorization

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

Mar 4, 2026 Patched in 1.4.25 (2d)
Code Analysis
Analyzed Mar 16, 2026

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation Code Analysis

Dangerous Functions
0
Raw SQL Queries
8
95 prepared
Unescaped Output
10
406 escaped
Nonce Checks
3
Capability Checks
11
File Operations
5
External Requests
56
Bundled Libraries
0

SQL Query Safety

92% prepared103 total queries

Output Escaping

98% escaped416 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<class-notice> (includes\utils\class-notice.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation Attack Surface

Entry Points55
Unprotected5

AJAX Handlers 3

authwp_ajax_optn_install_pluginincludes\class-wpxpo-plugins.php:18
authwp_ajax_optn_deactive_pluginincludes\utils\class-deactive.php:28
authwp_ajax_optn_installincludes\utils\class-notice.php:41

REST API Routes 51

GET/wp-json/optn/v1/optin/(?P<id>\d+)/duplicateadmin\class-rest-admin.php:39
GET/wp-json/optn/v1/recipes/(?P<id>\d+)admin\class-rest-admin.php:49
POST/wp-json/optn/v1/get-postadmin\class-rest-admin.php:59
POST/wp-json/optn/v1/save-postadmin\class-rest-admin.php:69
DELETE/wp-json/optn/v1/delete-postadmin\class-rest-admin.php:79
POST/wp-json/optn/v1/restore-postadmin\class-rest-admin.php:89
POST/wp-json/optn/v1/reset-postadmin\class-rest-admin.php:99
POST/wp-json/optn/v1/get-postsadmin\class-rest-admin.php:109
POST/wp-json/optn/v1/get-leadsadmin\class-rest-admin.php:119
DELETE/wp-json/optn/v1/delete-leadsadmin\class-rest-admin.php:129
POST/wp-json/optn/v1/get-productsadmin\class-rest-admin.php:139
POST/wp-json/optn/v1/get-archivesadmin\class-rest-admin.php:149
POST/wp-json/optn/v1/get-rule-optionsadmin\class-rest-admin.php:159
POST/wp-json/optn/v1/get-rule-valuesadmin\class-rest-admin.php:169
POST/wp-json/optn/v1/get-templatesadmin\class-rest-admin.php:179
GET/wp-json/optn/v1/presetsadmin\class-rest-admin.php:189
GET/wp-json/optn/v1/presets/(?P<id>\d+)admin\class-rest-admin.php:199
GET/wp-json/optn/v1/settingsadmin\class-rest-admin.php:209
POST/wp-json/optn/v1/settingsadmin\class-rest-admin.php:219
POST/wp-json/optn/v1/download-assetsadmin\class-rest-admin.php:229
POST/wp-json/optn/v1/shortcode-contentadmin\class-rest-admin.php:247
GET/wp-json/optn/v1/assets/imagesadmin\class-rest-admin.php:257
GET/wp-json/optn/v1/assets/videosadmin\class-rest-admin.php:267
GET/wp-json/optn/v1/export/leadsadmin\class-rest-admin.php:277
GET/wp-json/optn/v1/abt/admin\rest\class-rest-ab-testing.php:35
GET/wp-json/optn/v1/abt/(?P<id>\d+)admin\rest\class-rest-ab-testing.php:45
GET/wp-json/optn/v1/abt/(?P<id>\d+)/statsadmin\rest\class-rest-ab-testing.php:55
GET/wp-json/optn/v1/abtadmin\rest\class-rest-ab-testing.php:65
GET/wp-json/optn/v1/abt/(?P<id>\d+)admin\rest\class-rest-ab-testing.php:76
GET/wp-json/optn/v1/abt/winner-selectionadmin\rest\class-rest-ab-testing.php:86
GET/wp-json/optn/v1/integration/admin\rest\class-rest-integration.php:34
GET/wp-json/optn/v1/integration/(?P<id>\d+)admin\rest\class-rest-integration.php:44
GET/wp-json/optn/v1/integration/infoadmin\rest\class-rest-integration.php:54
POST/wp-json/optn/v1/integrationadmin\rest\class-rest-integration.php:99
POST/wp-json/optn/v1/integration/ai/promptadmin\rest\class-rest-integration.php:109
DELETE/wp-json/optn/v1/integration/(?P<id>\d+)admin\rest\class-rest-integration.php:176
POST/wp-json/optn/v1/integration-data/admin\rest\class-rest-integration.php:186
POST/wp-json/optn/v1/integration-actionfrontend\class-rest-frontend.php:38
POST/wp-json/optn/v1/update-analytics/includes\class-analytics.php:44
GET/wp-json/optn/v1/get-ipinfo/includes\class-analytics.php:54
GET/wp-json/optn/v1/get-quick-view-data/includes\class-analytics.php:71
GET/wp-json/optn/v1/get-valid-convs/includes\class-analytics.php:81
POST/wp-json/optn/v1/get-impressions/includes\class-analytics.php:91
POST/wp-json/optn/v1/get-impressions-device/includes\class-analytics.php:101
POST/wp-json/optn/v1/get-conversions/includes\class-analytics.php:111
POST/wp-json/optn/v1/get-sales/includes\class-analytics.php:121
POST/wp-json/optn/v1/get-pop-optins/includes\class-analytics.php:131
POST/wp-json/optn/v1/get-geo-view/includes\class-analytics.php:141
GET/wp-json/optn/v1/zapierincludes\integrations\other\class-zapier.php:96
GET/wp-json/optn/v1/zapierincludes\integrations\other\class-zapier.php:106
GET/wp-json/optn/v1/zapierincludes\integrations\other\class-zapier.php:116

Shortcodes 1

[optn] frontend\class-frontend.php:121
WordPress Hooks 49
actionadmin_footeradmin\class-admin.php:87
actionoptn_clean_dbadmin\class-admin.php:110
filterhttp_request_host_is_externaladmin\class-rest-admin.php:422
filterwpforms_frontend_assets_header_force_loadadmin\class-rest-admin.php:862
filteroptn_cssfrontend\blocks\class-columns-block.php:34
filterbody_classfrontend\class-frontend.php:123
actionwpfrontend\class-frontend.php:131
actionoptn_htmlfrontend\class-optin-generator.php:94
filteroptn_datafrontend\class-optin-generator.php:143
filteroptn_cssfrontend\class-optin-generator.php:163
filteroptn_block_attrsfrontend\class-optin-generator.php:207
filteroptn_fontsfrontend\class-optin-generator.php:245
actionoptn_datafrontend\class-optin-generator.php:310
actionoptn_abt_createdincludes\class-ab-testing.php:98
actionoptn_abt_updatedincludes\class-ab-testing.php:99
actionoptn_abt_before_deleteincludes\class-ab-testing.php:100
actionplugins_loadedincludes\class-init.php:87
actionadmin_menuincludes\class-init.php:102
actionadmin_headincludes\class-init.php:103
actionadmin_footerincludes\class-init.php:104
actionrest_api_initincludes\class-init.php:107
actionadmin_enqueue_scriptsincludes\class-init.php:110
actionadmin_enqueue_scriptsincludes\class-init.php:111
actionrest_api_initincludes\class-init.php:126
actionwpincludes\class-init.php:129
actionwpincludes\class-init.php:132
actionsafe_style_cssincludes\class-init.php:135
actionsafecss_filter_attr_allow_cssincludes\class-init.php:136
actionwpincludes\class-init.php:138
actionwp_headincludes\class-init.php:139
actionwp_footerincludes\class-init.php:140
actionedd_complete_purchaseincludes\class-init.php:143
actionwoocommerce_thankyouincludes\class-init.php:144
actionwp_enqueue_scriptsincludes\class-init.php:147
actionoptn_compat_purge_cacheincludes\compatibility\class-caching-plugins.php:18
actionoptn_viewed_optinincludes\integrations\other\class-google-analytics.php:52
actionoptn_convertedincludes\integrations\other\class-google-analytics.php:53
actionoptn_purchasedincludes\integrations\other\class-google-analytics.php:54
actionrest_api_initincludes\integrations\other\class-zapier.php:85
actionoptn_lead_addedincludes\integrations\other\class-zapier.php:86
filteroptn_google_fontsincludes\utils\class-block-utils.php:20
actionadmin_footerincludes\utils\class-deactive.php:26
actionadmin_noticesincludes\utils\class-notice.php:34
actionadmin_initincludes\utils\class-notice.php:35
actionrest_api_initincludes\utils\class-notice.php:38
filterplugin_row_metaincludes\utils\class-plugin-actions.php:19
filteroptn_is_sanitizing_contentincludes\utils\class-sanitizer.php:401
filteroptn_is_sanitizing_contentincludes\utils\class-sanitizer.php:405
actionopnt_rotate_visitor_statsincludes\utils\class-visitor-count.php:27

Scheduled Events 2

optn_clean_db
opnt_rotate_visitor_stats
Maintenance & Trust

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.4
Downloads20K

Community Trust

Rating100/100
Number of ratings14
Active installs1K
Alternatives

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation Alternatives

Wisepops Popups & Notifications

Wisepops Popups & Notifications

wisepops-popups

A
100

Add Wisepops popups to your WordPress to effortlessly capture and engage web visitors and turn them into leads and happy customers.

500 No CVEs
Popup Zen – Small, Simple, Lightweight Email Optin

Popup Zen – Small, Simple, Lightweight Email Optin

popup-zen

A
85

A WordPress popup that is ultra lightweight, simple to use, and small.

20 No CVEs
Ampry – Create Popups, Notifications, Sticky bars & more

Ampry – Create Popups, Notifications, Sticky bars & more

ampry-pixel

A
85

Turn you website traffic into more leads & sales with our easy-to-use tool. Create popups, forms, bars, notifications, & onpage placements to &hellip;

10 No CVEs
Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

optinmonster

A
96

🤩 Make popups & optin forms to get more email newsletter subscribers, leads, and sales - #1 most popular popup builder plugin! 🚀

1.0M 6 CVEs
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

popup-maker

A
91

Want to boost sales & marketing efforts? Use your favorite forms & builder. Unlimited popups & impressions, keep your data, no monthly subscription.

700K 18 CVEs
Developer Profile

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation Developer Profile

WPXPO

9 plugins · 52K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
149 days
View full developer profile
Detection Fingerprints

How We Detect WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/optin/assets/css/build/optin.css/wp-content/plugins/optin/assets/js/build/optin.js
Version Parameters
optin/assets/css/build/optin.css?ver=optin/assets/js/build/optin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wowoptin-builder
JS Globals
optin_scripts_data
FAQ

Frequently Asked Questions about WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation