WP-Safety

Popularis Extra Security & Risk Analysis

wordpress.org/plugins/popularis-extra

Popularis Extra add extra features to Popularis theme like demo import, widgets, shortcodes or Elementor widgets.

8K active installs v1.2.10 PHP 5.6+ WP 4.4+ Updated Dec 3, 2025
demoelementorimportshortcodeswidgets
74
B · Generally Safe
CVEs total3
Unpatched1
Last CVEJan 28, 2026
Plugin page Download
Safety Verdict

Is Popularis Extra Safe to Use in 2026?

Mostly Safe

Score 74/100

Popularis Extra is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Jan 28, 2026Updated 4mo ago
Risk Assessment

The 'popularis-extra' plugin v1.2.10 exhibits a mixed security posture. On the positive side, static analysis reveals a robust implementation of security controls, with all identified entry points (AJAX handlers, REST API routes, shortcodes, and cron events) appearing to have authentication or permission checks. SQL queries are consistently prepared, and a significant majority of output is properly escaped, indicating good development practices in these areas. Nonce and capability checks are also prevalent.

However, the presence of the `unserialize` function is a significant concern, as it can lead to remote code execution vulnerabilities if not handled with extreme care and strict input validation. While no critical or high severity taint flows were identified, the three flows with unsanitized paths, even if of lower severity in this analysis, warrant attention and further investigation to ensure they do not expose the application. The plugin's vulnerability history is also a red flag, with three known medium severity CVEs and, most critically, one currently unpatched vulnerability. The historical pattern of CSRF, authorization bypass, and XSS indicates a recurring tendency for vulnerabilities to emerge in these attack vectors.

In conclusion, while 'popularis-extra' demonstrates strengths in input sanitization and authentication mechanisms for its entry points, the `unserialize` function, unsanitized paths in taint flows, and a history of unpatched vulnerabilities present substantial risks. The single unpatched CVE significantly lowers the plugin's overall security rating. Users should exercise caution and prioritize updating to a version that addresses all known vulnerabilities.

Key Concerns

  • Unpatched CVE
  • Dangerous function: unserialize
  • Flows with unsanitized paths
Vulnerabilities
3

Popularis Extra Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2026-25422medium · 4.3Cross-Site Request Forgery (CSRF)

Popularis Extra <= 1.2.10 - Cross-Site Request Forgery

Jan 28, 2026Unpatched
CVE-2024-10795medium · 4.3Authorization Bypass Through User-Controlled Key

Popularis Extra <= 1.2.7 - Authenticated (Contributor+) Post Disclosure

Nov 15, 2024 Patched in 1.2.8 (1d)
CVE-2024-9353medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popularis Extra <= 1.2.6 - Reflected Cross-Site Scripting

Oct 3, 2024 Patched in 1.2.7 (1d)
Code Analysis
Analyzed Mar 16, 2026

Popularis Extra Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
4 prepared
Unescaped Output
82
512 escaped
Nonce Checks
14
Capability Checks
15
File Operations
17
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = @unserialize( $raw );includes\panel\classes\importers\class-settings-importer.php:25

SQL Query Safety

100% prepared4 total queries

Output Escaping

86% escaped594 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

10 flows3 with unsanitized paths
popularis_extra_review_notice_message (includes\notify\notify.php:45)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Popularis Extra Attack Surface

Entry Points9
Unprotected0

AJAX Handlers 8

authwp_ajax_popularis_ajax_get_demo_dataincludes\panel\demos.php:56
authwp_ajax_popularis_ajax_required_plugins_activateincludes\panel\demos.php:57
authwp_ajax_popularis_ajax_get_import_dataincludes\panel\demos.php:60
authwp_ajax_popularis_ajax_import_xmlincludes\panel\demos.php:63
authwp_ajax_popularis_ajax_import_theme_settingsincludes\panel\demos.php:66
authwp_ajax_popularis_ajax_import_widgetsincludes\panel\demos.php:69
authwp_ajax_popularis_after_importincludes\panel\demos.php:72
authwp_ajax_popularis_wizard_ajax_get_demo_dataincludes\wizard\classes\WizardAjax.php:9

Shortcodes 1

[popularis-posts] library\extra-shortcodes\shortcodes.php:11
WordPress Hooks 36
actionadmin_noticesincludes\notify\notify.php:36
actionadmin_noticesincludes\notify\notify.php:151
actionadmin_initincludes\notify\notify.php:156
actionadmin_noticesincludes\notify\notify.php:233
actionadmin_initincludes\notify\notify.php:239
actionadmin_noticesincludes\notify\notify.php:297
actionadmin_menuincludes\panel\classes\class-install-demos.php:21
filterimport_post_meta_keyincludes\panel\classes\importers\class-wordpress-importer.php:101
filterhttp_request_timeoutincludes\panel\classes\importers\class-wordpress-importer.php:102
filterpopularis_demos_dataincludes\panel\demos-pro.php:992
actionadmin_initincludes\panel\demos.php:36
actionadmin_enqueue_scriptsincludes\panel\demos.php:39
filterupload_mimesincludes\panel\demos.php:42
actionadmin_footerincludes\panel\demos.php:45
actionadmin_menuincludes\wizard\wizard.php:35
actionadmin_initincludes\wizard\wizard.php:36
actionwp_loadedincludes\wizard\wizard.php:37
actionadmin_print_stylesincludes\wizard\wizard.php:38
actionadd_second_noticeincludes\wizard\wizard.php:39
actionmanage_elementor_library_posts_columnslibrary\extra-elementor\elementor-shortcode.php:56
actionmanage_elementor_library_posts_custom_columnlibrary\extra-elementor\elementor-shortcode.php:57
actionelementor/widgets/widgets_registeredlibrary\extra-elementor\elementor-widgets.php:96
actionelementor/frontend/after_register_scriptslibrary\extra-elementor\elementor-widgets.php:100
actionelementor/preview/enqueue_scriptslibrary\extra-elementor\elementor-widgets.php:102
actionload-widgets.phplibrary\extra-widgets\about-widget.php:66
actionadmin_head-widgets.phplibrary\extra-widgets\about-widget.php:69
actionadmin_footer-widgets.phplibrary\extra-widgets\about-widget.php:70
actionadmin_head-widgets.phplibrary\extra-widgets\social-widget.php:119
actionadmin_enqueue_scriptslibrary\extra-widgets\social-widget.php:120
actionadmin_footer-widgets.phplibrary\extra-widgets\social-widget.php:121
actionwidgets_initlibrary\extra-widgets.php:36
actioninitpopularis-extra.php:34
actionwp_enqueue_scriptspopularis-extra.php:44
actionadmin_initpopularis-extra.php:122
actionafter_switch_themepopularis-extra.php:123
actionbefore_woocommerce_initpopularis-extra.php:154

Scheduled Events 2

add_second_notice
add_second_notice
Maintenance & Trust

Popularis Extra Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 3, 2025
PHP min version5.6
Downloads225K

Community Trust

Rating100/100
Number of ratings1
Active installs8K
Alternatives

Popularis Extra Alternatives

Wishful Companion

Wishful Companion

wishful-companion

A
92

Wishful Companion add extra features to all WishfulThemes themes like demo import and other widgets.

300 No CVEs
aThemes Starter Sites

aThemes Starter Sites

athemes-starter-sites

A
99

We've got a full and ever-growing library stocked with ready-made templates for any kind of business.

40K 1 CVE
Bosa Elementor Addons and Templates for WooCommerce

Bosa Elementor Addons and Templates for WooCommerce

bosa-elementor-for-woocommerce

A
99

Elementor Addon with widgets and templates for WooCommerce.

30K 1 CVE
Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
Futurio Extra

Futurio Extra

futurio-extra

A
96

Futurio Extra add extra features to Futurio theme like widgets, WooCommerce options, Elementor widgets, one click demo import and much more.

20K 7 CVEs
Developer Profile

Popularis Extra Developer Profile

Themes4WP

14 plugins · 26K total installs

90
trust score
Avg Security Score
94/100
Avg Patch Time
22 days
View full developer profile
Detection Fingerprints

How We Detect Popularis Extra

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/popularis-extra/assets/css/admin.css/wp-content/plugins/popularis-extra/assets/css/responsive.css/wp-content/plugins/popularis-extra/assets/js/admin.js/wp-content/plugins/popularis-extra/assets/js/script.js/wp-content/plugins/popularis-extra/assets/css/style.css
Script Paths
/wp-content/plugins/popularis-extra/assets/js/admin.js/wp-content/plugins/popularis-extra/assets/js/script.js
Version Parameters
popularis-extra/assets/css/admin.css?ver=popularis-extra/assets/css/responsive.css?ver=popularis-extra/assets/js/admin.js?ver=popularis-extra/assets/js/script.js?ver=popularis-extra/assets/css/style.css?ver=

HTML / DOM Fingerprints

CSS Classes
popularis-extra-settings
HTML Comments
Popularis Extra Settings
Data Attributes
data-popularis-extra-colordata-popularis-extra-background
JS Globals
popularis_extra_settings
FAQ

Frequently Asked Questions about Popularis Extra