WP-Safety

Popup addon for Ninja Forms Security & Risk Analysis

wordpress.org/plugins/popup-addon-for-ninja-forms

Popup/Modal addon for Ninja Forms. Create beautiful popups using Ninja Forms for newsletters, login, registration forms.

1K active installs v3.5.2 PHP + WP 4.4+ Updated Nov 4, 2025
contact-formmodalnewsletterninja-formspopup
98
A · Safe
CVEs total2
Unpatched0
Last CVEOct 31, 2025
Plugin page Download
Safety Verdict

Is Popup addon for Ninja Forms Safe to Use in 2026?

Generally Safe

Score 98/100

Popup addon for Ninja Forms has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 31, 2025Updated 5mo ago
Risk Assessment

The 'popup-addon-for-ninja-forms' plugin v3.5.2 presents a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and implementing nonce and capability checks on some entry points, significant concerns remain regarding output escaping and historical vulnerabilities. The static analysis reveals that a substantial portion of output (55%) is not properly escaped, indicating a potential risk of Cross-Site Scripting (XSS) vulnerabilities. Despite the absence of critical or high severity taint flows in this analysis, the history of two medium severity XSS vulnerabilities, with the last occurring in late 2025, suggests a recurring pattern of input sanitization issues. The lack of unpatched CVEs is positive, but the ongoing presence of medium severity issues in the past warrants attention. The plugin has a small attack surface with only one shortcode, and it appears to be protected. However, the unescaped output is the most prominent risk, and the historical trend of XSS vulnerabilities, even if currently patched, suggests a need for more robust input validation and output sanitization.

Key Concerns

  • Insufficient output escaping
  • History of medium severity XSS vulnerabilities
Vulnerabilities
2

Popup addon for Ninja Forms Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-64264medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup addon for Ninja Forms <= 3.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 31, 2025 Patched in 3.5.2 (18d)
CVE-2025-53279medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup addon for Ninja Forms <= 3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 27, 2025 Patched in 3.5 (6d)
Code Analysis
Analyzed Mar 16, 2026

Popup addon for Ninja Forms Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
56
45 escaped
Nonce Checks
1
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

45% escaped101 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
__construct (inc\admin\class-nf-popups-customizer.php:15)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Popup addon for Ninja Forms Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[nf-popup] inc\shortcode.php:9
WordPress Hooks 20
actioncustomize_registerinc\admin\class-nf-popups-customizer.php:19
filtercustomize_registerinc\admin\class-nf-popups-customizer.php:29
filtercustomize_loaded_componentsinc\admin\class-nf-popups-customizer.php:32
filtercustomize_loaded_componentsinc\admin\class-nf-popups-customizer.php:33
filtercustomize_registerinc\admin\class-nf-popups-customizer.php:35
actioncustomize_registerinc\admin\class-nf-popups-customizer.php:38
actioncustomize_registerinc\admin\class-nf-popups-customizer.php:39
filtercustomize_control_activeinc\admin\class-nf-popups-customizer.php:40
filterquery_varsinc\admin\class-nf-popups-customizer.php:42
actioncustomize_preview_initinc\admin\class-nf-popups-customizer.php:46
actiontemplate_redirectinc\admin\class-nf-popups-customizer.php:50
actionadmin_noticesinc\admin\class-nf-popups-customizer.php:56
actionplugins_loadedinc\admin\class-nf-popups-customizer.php:253
actionadmin_menuinc\admin\class-nf-popups-licenses.php:5
actionadmin_initinc\admin\class-nf-popups-licenses.php:7
actioninitinc\admin\class-nf-popups-postype.php:5
actionadd_meta_boxesinc\admin\class-nf-popups-settings-metabox.php:9
actionsave_postinc\admin\class-nf-popups-settings-metabox.php:10
actionwp_enqueue_scriptsnf-popups.php:39
actionadmin_enqueue_scriptsnf-popups.php:49
Maintenance & Trust

Popup addon for Ninja Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 4, 2025
PHP min version
Downloads37K

Community Trust

Rating76/100
Number of ratings6
Active installs1K
Alternatives

Popup addon for Ninja Forms Alternatives

Easy Popups – Beautiful, Responsive Popups for Lead Capture & Announcements

Easy Popups – Beautiful, Responsive Popups for Lead Capture & Announcements

easy-popups

A
99

Create beautiful, responsive popups in minutes. Add forms, videos, smart triggers, and precise display rules — all inside WordPress.

30 1 CVE
Result Popups for CF7

Result Popups for CF7

result-popups-for-cf7

A
100

Modernize your Contact Form 7 messages with clean, customizable SweetAlert2 popups. No config needed. Just activate and enjoy.

20 No CVEs
Asap – Popups Studio

Asap – Popups Studio

asap-popups-studio

A
100

Create and manage multiple custom popups with individual settings and display rules.

0 No CVEs
Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

A
90

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig &hellip;

300K 3 CVEs
Lightbox & Modal Popup WordPress Plugin – FooBox

Lightbox & Modal Popup WordPress Plugin – FooBox

foobox-image-lightbox

A
94

A responsive image lightbox for WordPress galleries, WordPress attachments & FooGallery

100K 5 CVEs
Developer Profile

Popup addon for Ninja Forms Developer Profile

Aman

11 plugins · 8K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
138 days
View full developer profile
Detection Fingerprints

How We Detect Popup addon for Ninja Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/popup-addon-for-ninja-forms/css/animations.css/wp-content/plugins/popup-addon-for-ninja-forms/css/magnific-popup.css/wp-content/plugins/popup-addon-for-ninja-forms/js/magnific-popup.js/wp-content/plugins/popup-addon-for-ninja-forms/js/nf-popups.js/wp-content/plugins/popup-addon-for-ninja-forms/css/nf-popups-admin.css/wp-content/plugins/popup-addon-for-ninja-forms/js/admin.js/wp-content/plugins/popup-addon-for-ninja-forms/js/customizer-preview.js
Script Paths
/wp-content/plugins/popup-addon-for-ninja-forms/js/magnific-popup.js/wp-content/plugins/popup-addon-for-ninja-forms/js/nf-popups.js/wp-content/plugins/popup-addon-for-ninja-forms/js/admin.js/wp-content/plugins/popup-addon-for-ninja-forms/js/customizer-preview.js

HTML / DOM Fingerprints

CSS Classes
nf-popups-close-btn
Data Attributes
nf_popup_id_customizer
JS Globals
nf_popup_id_customizer
FAQ

Frequently Asked Questions about Popup addon for Ninja Forms