Does PopPop have any unpatched vulnerabilities?

No. All known vulnerabilities in PopPop have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is PopPop compatible with WordPress 3.6.1?

According to WordPress.org data, PopPop 0.4 has been tested up to WordPress 3.6.1. Check the plugin's changelog for the latest compatibility information.

How often is PopPop updated?

PopPop was last updated on Apr 27, 2013. Frequent updates are generally a positive security signal.

What is PopPop's security score?

PopPop has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PopPop Security & Risk Analysis

wordpress.org/plugins/poppop

Easily display your widgets inside modal and popup windows.

80 active installs v0.4 PHP + WP 3.0+ Updated Apr 27, 2013

modalpop-uppopuprevealwidget

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is PopPop Safe to Use in 2026?

Generally Safe

Score 85/100

PopPop has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago

Risk Assessment

The "poppop" plugin v0.4 presents a significant security risk due to its unprotected AJAX handlers. While the plugin demonstrates good practices by avoiding dangerous functions, file operations, external HTTP requests, and using prepared statements for SQL queries, the presence of two AJAX handlers without any authentication or capability checks is a major concern. This allows any user, regardless of their role, to trigger these actions, potentially leading to unintended consequences or exploitation.

The static analysis reveals a small attack surface, but the critical weakness lies in the lack of security measures on these entry points. The low percentage of properly escaped output also indicates a risk of Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data might be rendered directly in the browser without proper sanitization. The absence of any recorded vulnerability history is positive, but it does not negate the immediate risks identified in the code. Developers should prioritize implementing nonce checks and capability checks on the AJAX handlers and ensure all output is properly escaped to mitigate these vulnerabilities.

Key Concerns

AJAX handlers without auth checks
Low percentage of properly escaped output

Vulnerabilities

None known

PopPop Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

PopPop Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

4% escaped24 total outputs

Attack Surface

2 unprotected

PopPop Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_poppop_save_cookieinit.php:65

noprivwp_ajax_poppop_save_cookieinit.php:66

WordPress Hooks 9

actionin_widget_forminit.php:32

actionadmin_initinit.php:33

actionwidgets_initinit.php:34

actiontemplate_redirectinit.php:36

actionwp_footerinit.php:37

actioninitinit.php:38

actionwidgets_initinit.php:39

actionin_widget_forminit.php:63

filterwidget_update_callbackinit.php:64

Maintenance & Trust

PopPop Maintenance & Trust

Maintenance Signals

WordPress version tested3.6.1

Last updatedApr 27, 2013

PHP min version

Downloads10K

Community Trust

Rating96/100

Number of ratings5

Active installs80

Alternatives

PopPop Alternatives

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

ays-popup-box

Build flexible popups and modal windows with multiple popup types, triggers, and display controls.

50K 17 CVEs

Pop-up

pop-up-pop-up

Pop-up Popups

10K 2 CVEs

Modal Popup Box: A Flexible Pop Up Box Builder

modal-popup-box

Create and manage a customizable pop up box on your WordPress website. Embed anything from videos and images to forms and shortcodes.

2K 2 CVEs

MakeITeasy Popup

makeiteasy-popup

100

Advanced block based pop-up solution.

1K No CVEs

Modal Maker – An Elementor Modal Widget

modal-maker

An Elementor widget plugin which adds a customizable button that triggers a modal popup, perfect for displaying additional content or options in a sty …

100 No CVEs

Developer Profile

PopPop Developer Profile

shazdeh

24 plugins · 4K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect PopPop

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/poppop/js/poppop.js/wp-content/plugins/poppop/css/poppop.css/wp-content/plugins/poppop/js/rokbox.js

Script Paths

/wp-content/plugins/poppop/js/poppop.js/wp-content/plugins/poppop/js/rokbox.js

Version Parameters

poppop/css/poppop.css?ver=poppop/js/poppop.js?ver=poppop/js/rokbox.js?ver=

HTML / DOM Fingerprints

CSS Classes

poppop-wrapperpoppop-containerpoppop-contentpoppop-close

HTML Comments

Data Attributes

data-poppop-iddata-poppop-auto-firedata-poppop-cookie

JS Globals

Poppop

REST Endpoints

/wp-json/poppop/v1/save_cookie

FAQ