WP-Safety

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation Security & Risk Analysis

wordpress.org/plugins/optinmonster

🤩 Make popups & optin forms to get more email newsletter subscribers, leads, and sales - #1 most popular popup builder plugin! 🚀

1.0M active installs v2.16.22 PHP 7.2+ WP 5.0+ Updated Nov 19, 2025
ecommercemarketingoptinpopuppopups
96
A · Safe
CVEs total6
Unpatched0
Last CVEMay 24, 2024
Plugin page Download
Safety Verdict

Is Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation Safe to Use in 2026?

Generally Safe

Score 96/100

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: May 24, 2024Updated 4mo ago
Risk Assessment

The static analysis of OptinMonster v2.16.22 reveals a generally strong security posture with a low number of critical vulnerabilities identified in code signals. The plugin demonstrates good practices by implementing capability checks on all identified entry points and utilizing prepared statements for a significant portion of its SQL queries. The high percentage of properly escaped output also indicates a commitment to preventing cross-site scripting vulnerabilities.

However, a notable concern arises from the plugin's vulnerability history, which shows a significant number of past CVEs, including one high-severity and five medium-severity vulnerabilities. The types of past vulnerabilities, such as CSRF, Authorization Bypass, Improper Authorization, XSS, and Code Injection, suggest recurring security weaknesses that attackers might still exploit if not diligently patched. The presence of Lodash as a bundled library, while not inherently a vulnerability, warrants attention as outdated bundled libraries can sometimes be a vector for exploits.

In conclusion, while OptinMonster v2.16.22 appears to implement many security best practices, its historical vulnerability record is a significant red flag. The lack of unpatched CVEs currently is positive, but the pattern of past vulnerabilities necessitates ongoing vigilance and thorough auditing to ensure that previously exploited weaknesses have been fully addressed.

Key Concerns

  • Significant past vulnerability history (6 total CVEs)
  • One past high-severity vulnerability
  • Five past medium-severity vulnerabilities
  • Bundled library (Lodash)
Vulnerabilities
6

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
2 CVEs in 2021
2021
1 CVE in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
5

6 total CVEs

CVE-2024-4045medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation <= 2.16.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 24, 2024 Patched in 2.16.2 (1d)
CVE-2024-33691medium · 4.3Cross-Site Request Forgery (CSRF)

Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation <= 2.15.3 - Cross-Site Request Forgery to Notice Dismissal

Apr 26, 2024 Patched in 2.16.0 (6d)
CVE-2023-0772medium · 4.3Authorization Bypass Through User-Controlled Key

OptinMonster <= 2.12.1 - Authenticated (Subscriber+) Sensitive Information Disclosure via Shortcode

Mar 3, 2023 Patched in 2.12.2 (326d)
CVE-2021-39341high · 8.2Improper Authorization

OptinMonster <= 2.6.4 - Unprotected REST-API Endpoints

Nov 1, 2021 Patched in 2.6.5 (812d)
CVE-2021-39325medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OptinMonster <= 2.6.0 - Reflected Cross-Site Scripting

Sep 20, 2021 Patched in 2.6.1 (854d)
CVE-2016-10996medium · 5.3Improper Control of Generation of Code ('Code Injection')

Popup Builder by OptinMonster <= 1.1.4.5 - Remote Code Execution

Jan 14, 2016 Patched in 1.1.4.6 (2930d)
Code Analysis
Analyzed Mar 16, 2026

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
4 prepared
Unescaped Output
32
325 escaped
Nonce Checks
7
Capability Checks
9
File Operations
1
External Requests
6
Bundled Libraries
1

Bundled Libraries

Lodash

SQL Query Safety

57% prepared7 total queries

Output Escaping

91% escaped357 total outputs
Attack Surface

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation Attack Surface

Entry Points5
Unprotected0

AJAX Handlers 2

authwp_ajax_om_constant_contact_dismissOMAPI\ConstantContact.php:80
authwp_ajax_dismiss-wp-pointerOMAPI\Validate.php:67

Shortcodes 3

[optin-monster] OMAPI\Shortcode.php:70
[optin-monster-shortcode] OMAPI\Shortcode.php:71
[optin-monster-inline] OMAPI\Shortcode.php:72
WordPress Hooks 113
actionadmin_initOMAPI\Actions.php:61
actionoptin_monster_api_global_loadedOMAPI\Actions.php:65
actionadmin_initOMAPI\Actions.php:67
actioninitOMAPI\Ajax.php:63
actionenqueue_block_editor_assetsOMAPI\Blocks.php:80
actionmedia_buttonsOMAPI\ClassicEditor.php:59
actionadd_meta_boxesOMAPI\ClassicEditor.php:60
actionsave_postOMAPI\ClassicEditor.php:61
actionadmin_footerOMAPI\ClassicEditor.php:130
actionadmin_menuOMAPI\ConstantContact.php:78
actionadmin_noticesOMAPI\ConstantContact.php:79
filteradmin_body_classOMAPI\ConstantContact.php:261
actionadmin_enqueue_scriptsOMAPI\ConstantContact.php:262
filteradmin_footer_textOMAPI\ConstantContact.php:263
actionin_admin_headerOMAPI\ConstantContact.php:264
actionoptin_monster_api_rest_register_routesOMAPI\EasyDigitalDownloads.php:61
filteroptin_monster_display_rules_data_outputOMAPI\EasyDigitalDownloads.php:62
actionshutdownOMAPI\EasyDigitalDownloads.php:68
actionedd_update_payment_statusOMAPI\EasyDigitalDownloads.php:69
actionwp_enqueue_scriptsOMAPI\Elementor\Widget.php:46
actionelementor/editor/after_enqueue_stylesOMAPI\Elementor.php:79
actionelementor/widgets/widgets_registeredOMAPI\Elementor.php:80
actionoptin_monster_should_set_campaigns_as_previewOMAPI\Elementor.php:81
actionoptin_monster_display_media_buttonOMAPI\Elementor.php:82
actionelementor/editor/footerOMAPI\Elementor.php:236
actionadd_meta_boxesOMAPI\MemberPress\ProductEducation.php:63
filteroptin_monster_campaigns_js_api_argsOMAPI\MemberPress.php:63
filteroptin_monster_api_setting_ui_dataOMAPI\MemberPress.php:64
actionadmin_menuOMAPI\Menu.php:104
actionadmin_menuOMAPI\Menu.php:105
actionadmin_bar_menuOMAPI\Menu.php:108
filteradmin_body_classOMAPI\Menu.php:111
filterplugin_row_metaOMAPI\Menu.php:116
actionadmin_menuOMAPI\Menu.php:182
actionadmin_footerOMAPI\Menu.php:220
actionadmin_enqueue_scriptsOMAPI\Menu.php:475
actionadmin_enqueue_scriptsOMAPI\Menu.php:476
filteradmin_footer_textOMAPI\Menu.php:477
actionin_admin_headerOMAPI\Menu.php:478
actionadmin_enqueue_scriptsOMAPI\Menu.php:479
actionadmin_print_footer_scriptsOMAPI\Menu.php:480
actionadmin_footerOMAPI\Menu.php:643
actionoptin_monster_api_rest_loadedOMAPI\Notifications.php:105
actionoptin_monster_api_admin_loadedOMAPI\Notifications.php:106
actionoptin_monster_api_admin_notifications_updateOMAPI\Notifications.php:108
filteroptin_monster_api_notifications_countOMAPI\Notifications.php:109
actionadmin_enqueue_scriptsOMAPI\Notifications.php:110
filterhttps_ssl_verifyOMAPI\Notifications.php:211
filteroptinmonster_pre_campaign_should_outputOMAPI\Output.php:132
actionpre_get_postsOMAPI\Output.php:140
actionwpOMAPI\Output.php:141
actionwp_footerOMAPI\Output.php:157
actionwp_enqueue_scriptsOMAPI\Output.php:196
actionwp_footerOMAPI\Output.php:197
actionwp_footerOMAPI\Output.php:198
actionwp_footerOMAPI\Output.php:199
actionwp_footerOMAPI\Output.php:202
filteroptin_monster_api_final_outputOMAPI\Output.php:205
filteroptin_monster_api_empty_outputOMAPI\Output.php:206
actionwp_footerOMAPI\Output.php:210
filterscript_loader_tagOMAPI\Output.php:233
filterclean_urlOMAPI\Output.php:235
filterthe_contentOMAPI\Output.php:299
actionwp_footerOMAPI\Output.php:400
actionwp_footerOMAPI\Output.php:457
filteradmin_titleOMAPI\Pages.php:87
filteradmin_body_classOMAPI\Pages.php:88
filterom_add_inline_scriptOMAPI\Pages.php:193
filterallowed_redirect_hostsOMAPI\Pages.php:422
filteroptin_monster_should_enqueue_assetOMAPI\Pages.php:495
actionadmin_menuOMAPI\Promos\Base.php:118
filteradmin_body_classOMAPI\Promos\Base.php:176
actionin_admin_headerOMAPI\Promos\TrustPulse.php:133
actionoptin_monster_api_admin_loadedOMAPI\Promos.php:50
filterrest_allowed_cors_headersOMAPI\RestApi.php:42
filterrest_send_nocache_headersOMAPI\RestApi.php:45
filteroptin_monster_api_admin_notifications_has_accessOMAPI\RestApi.php:769
filteroptin_monster_api_admin_notifications_has_accessOMAPI\RestApi.php:793
filteroptin_monster_api_admin_notifications_has_accessOMAPI\RestApi.php:824
filteroptin_monster_api_output_fieldsOMAPI\Rules\Base.php:47
actionoptinmonster_campaign_should_output_plugin_checksOMAPI\Rules\Base.php:48
filtercontent_save_preOMAPI\Save.php:270
filterwidget_textOMAPI\Shortcode.php:73
filterwidget_textOMAPI\Shortcode.php:74
filteroptinmonster_check_should_outputOMAPI\Shortcode.php:145
actionadmin_noticesOMAPI\Validate.php:64
actionadmin_print_footer_scriptsOMAPI\Validate.php:276
actionadmin_initOMAPI\Welcome.php:79
actionwp_dashboard_setupOMAPI\Welcome.php:80
actionoptin_monster_api_rest_register_routesOMAPI\WooCommerce.php:79
actionadmin_enqueue_scriptsOMAPI\WooCommerce.php:81
actionadd_meta_boxesOMAPI\WooCommerce.php:84
actionadmin_initOMAPI\WooCommerce.php:87
actionwoocommerce_thankyouOMAPI\WooCommerce.php:90
actionwoocommerce_order_status_changedOMAPI\WooCommerce.php:91
actionadmin_footerOMAPI\WooCommerce.php:161
actionom-note-primaryOMAPI\WooCommerce.php:583
actionom-note-secondayOMAPI\WooCommerce.php:590
actionoptin_monster_api_rest_register_routesOMAPI\WPForms.php:48
actionactivate_wpforms-lite/wpforms.phpOMAPI\WPForms.php:51
actionactivate_wpforms/wpforms.phpOMAPI\WPForms.php:52
actiondeactivate_wpforms-lite/wpforms.phpOMAPI\WPForms.php:55
actiondeactivate_wpforms/wpforms.phpOMAPI\WPForms.php:56
actionplugins_loadedoptin-monster-wp-api.php:153
actionbefore_woocommerce_initoptin-monster-wp-api.php:156
actionwidgets_initoptin-monster-wp-api.php:159
actioninitoptin-monster-wp-api.php:162
actioninitoptin-monster-wp-api.php:165
actionadmin_print_scriptsoptin-monster-wp-api.php:168
actionadmin_initoptin-monster-wp-api.php:171
filterwoocommerce_rest_prepare_product_catoptin-monster-wp-api.php:174
filterwoocommerce_rest_prepare_product_tagoptin-monster-wp-api.php:175
actionrest_api_initoptin-monster-wp-api.php:267
Maintenance & Trust

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 19, 2025
PHP min version7.2
Downloads130.6M

Community Trust

Rating86/100
Number of ratings803
Active installs1.0M
Alternatives

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation Alternatives

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

popup-maker

A
91

Want to boost sales & marketing efforts? Use your favorite forms & builder. Unlimited popups & impressions, keep your data, no monthly subscription.

700K 18 CVEs
Advanced Popups

Advanced Popups

advanced-popups

A
100

Display high-converting newsletter popups, a cookie notice, or a notification with the light-weight yet feature-rich plugin.

70K 1 CVE
HollerBox — Fast & Effective Popups & Lead-Generation

HollerBox — Fast & Effective Popups & Lead-Generation

holler-box

A
99

Get more leads and sales with effective popups that convert! Integrate HollerBox with your favorite CRM and email marketing tools.

3K 2 CVEs
SendPulse – Popup Builder for Email Optins, Lead Generation, Sticky Bars and Videos

SendPulse – Popup Builder for Email Optins, Lead Generation, Sticky Bars and Videos

sendpulse-popups

A
100

SendPulse Pop-ups plugin for WordPress. Create highly converting and mobile-friendly pop-ups, opt-in forms, exit popups, sticky bars, NPS surveys, etc

100 No CVEs
PopUpBuilder.App

PopUpBuilder.App

popupbuilder-app

A
85

PopUpBuilder.App - The No-Code PopUp Builder and Conversion Booser for your website!

30 No CVEs
Developer Profile

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/optinmonster/assets/css/om-admin-bar-menu.css/wp-content/plugins/optinmonster/assets/css/om-admin-styles.css/wp-content/plugins/optinmonster/assets/css/om-base-styles.css/wp-content/plugins/optinmonster/assets/css/om-dashboard.css/wp-content/plugins/optinmonster/assets/css/om-modal.css/wp-content/plugins/optinmonster/assets/css/om-onboarding.css/wp-content/plugins/optinmonster/assets/css/om-settings.css/wp-content/plugins/optinmonster/assets/css/om-style.css+21 more
Script Paths
https://a.omappapi.com/app/js/api.min.js
Version Parameters
/wp-content/plugins/optinmonster/assets/css/om-admin-bar-menu.css?ver=/wp-content/plugins/optinmonster/assets/css/om-admin-styles.css?ver=/wp-content/plugins/optinmonster/assets/css/om-base-styles.css?ver=/wp-content/plugins/optinmonster/assets/css/om-dashboard.css?ver=/wp-content/plugins/optinmonster/assets/css/om-modal.css?ver=/wp-content/plugins/optinmonster/assets/css/om-onboarding.css?ver=/wp-content/plugins/optinmonster/assets/css/om-settings.css?ver=/wp-content/plugins/optinmonster/assets/css/om-style.css?ver=/wp-content/plugins/optinmonster/assets/css/om-upgrade-notice.css?ver=/wp-content/plugins/optinmonster/assets/js/om-admin.js?ver=/wp-content/plugins/optinmonster/assets/js/om-admin-bar-menu.js?ver=/wp-content/plugins/optinmonster/assets/js/om-admin-dashboard.js?ver=/wp-content/plugins/optinmonster/assets/js/om-admin-notices.js?ver=/wp-content/plugins/optinmonster/assets/js/om-admin-settings.js?ver=/wp-content/plugins/optinmonster/assets/js/om-affiliate-links.js?ver=/wp-content/plugins/optinmonster/assets/js/om-dashboard.js?ver=/wp-content/plugins/optinmonster/assets/js/om-drag-and-drop.js?ver=/wp-content/plugins/optinmonster/assets/js/om-editor.js?ver=/wp-content/plugins/optinmonster/assets/js/om-global-settings.js?ver=/wp-content/plugins/optinmonster/assets/js/om-links.js?ver=/wp-content/plugins/optinmonster/assets/js/om-modal.js?ver=/wp-content/plugins/optinmonster/assets/js/om-notifications.js?ver=/wp-content/plugins/optinmonster/assets/js/om-onboarding.js?ver=/wp-content/plugins/optinmonster/assets/js/om-pro-features.js?ver=/wp-content/plugins/optinmonster/assets/js/om-rest-api.js?ver=/wp-content/plugins/optinmonster/assets/js/om-save-settings.js?ver=/wp-content/plugins/optinmonster/assets/js/om-sites.js?ver=/wp-content/plugins/optinmonster/assets/js/om-upgrade-notice.js?ver=/wp-content/plugins/optinmonster/assets/js/optinmonster-settings.js?ver=

HTML / DOM Fingerprints

CSS Classes
om-admin-bar-menuom-admin-stylesom-base-stylesom-dashboardom-modalom-onboardingom-settingsom-style+753 more
HTML Comments
<!-- Admin Bar Menu --><!-- Begin OptinMonster Admin Bar Menu --><!-- End OptinMonster Admin Bar Menu --><!-- OptinMonster Admin Bar Menu -->+1088 more
Data Attributes
data-om-optin-iddata-om-campaign-iddata-om-campaign-typedata-om-campaign-slugdata-om-campaign-namedata-om-campaign-url+1 more
JS Globals
optinmonster_settingsOMAPIOMAPI_REST
REST Endpoints
/wp-json/omapi/v1/campaigns/wp-json/omapi/v1/campaign/wp-json/omapi/v1/settings/wp-json/omapi/v1/integrations/wp-json/omapi/v1/integrations/connect/wp-json/omapi/v1/integrations/disconnect/wp-json/omapi/v1/integrations/update/wp-json/omapi/v1/sites/wp-json/omapi/v1/sites/connect/wp-json/omapi/v1/sites/disconnect/wp-json/omapi/v1/sites/update/wp-json/omapi/v1/stats/wp-json/omapi/v1/stats/campaign/wp-json/omapi/v1/stats/site/wp-json/omapi/v1/users/wp-json/omapi/v1/users/connect/wp-json/omapi/v1/users/disconnect/wp-json/omapi/v1/users/update/wp-json/omapi/v1/version/wp-json/omapi/v1/version/check
FAQ

Frequently Asked Questions about Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation