WP-Safety

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions Security & Risk Analysis

wordpress.org/plugins/popup-anything-on-click

Create popup on a page load or Create popup by clicking link, image and button. Create popups, opt-in forms, & exit popups, floating bars and more!

30K active installs v2.9.1 PHP + WP 5.2+ Updated Feb 20, 2026
exit-popupimage-popupmarketing-popupmodal-popup-on-clickpage-load-popup
97
A · Safe
CVEs total4
Unpatched0
Last CVEApr 16, 2024
Plugin page Download
Safety Verdict

Is Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions Safe to Use in 2026?

Generally Safe

Score 97/100

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Apr 16, 2024Updated 1mo ago
Risk Assessment

The "popup-anything-on-click" plugin v2.9.1 presents a mixed security posture. While the static analysis reveals a generally good implementation with a high percentage of properly escaped outputs, robust nonce and capability checks, and all SQL queries using prepared statements, there are notable areas of concern. The presence of the `unserialize` dangerous function is a significant red flag, as it can lead to Remote Code Execution if not handled with extreme caution and input validation. Furthermore, the taint analysis indicates two flows with unsanitized paths, which could potentially be exploited for vulnerabilities even if no critical or high severity issues were identified in this specific analysis.

The vulnerability history shows a pattern of medium severity issues, including Missing Authorization, CSRF, and XSS. The fact that there are no currently unpatched CVEs is positive, but the recurring nature of these vulnerability types suggests that the plugin may have historical weaknesses that require continuous vigilance and robust input sanitization. The recent vulnerability in April 2024 indicates that the development team is actively addressing security but also highlights the ongoing need for updates and patching.

Overall, the plugin has strengths in its use of prepared statements and output escaping, but the identified dangerous function and taint flow issues, coupled with its past vulnerability record, necessitate a cautious approach. Users should ensure they are using the latest version and remain aware of potential security updates.

Key Concerns

  • Presence of 'unserialize' dangerous function
  • Taint analysis shows unsanitized paths (2 flows)
  • History of medium severity vulnerabilities (4 total)
Vulnerabilities
4

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2024-32601medium · 5.3Missing Authorization

Popup Anything <= 2.8.0 - Missing Authorization

Apr 16, 2024 Patched in 2.8.1 (8d)
CVE-2022-38077medium · 4.3Cross-Site Request Forgery (CSRF)

WP OnlineSupport, Essential Plugin Popup Anything <= 2.2.1 - Cross Site Request Forgery

Mar 28, 2023 Patched in 2.2.2 (301d)
CVE-2022-2115medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Anything – A Marketing Popup and Lead Generation Conversions <= 2.1.6 - Reflected Cross-Site Scripting

Jul 4, 2022 Patched in 2.1.7 (568d)
CVE-2021-24883medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup Anything <= 2.0.3 - Contributor+ Stored Cross-Site Scripting

Oct 25, 2021 Patched in 2.0.4 (820d)
Code Analysis
Analyzed Mar 16, 2026

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
3 prepared
Unescaped Output
20
542 escaped
Nonce Checks
10
Capability Checks
6
File Operations
1
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$info = @unserialize($data);wpos-analytics\includes\class-anylc-admin.php:696

Bundled Libraries

Select2

SQL Query Safety

100% prepared3 total queries

Output Escaping

96% escaped562 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
popupaoc_create_popup (includes\class-paoc-public.php:105)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 2

authwp_ajax_popupaoc_post_title_suggincludes\admin\class-popupaoc-admin.php:41
authwp_ajax_popupaoc_popup_data_migrateincludes\admin\paoc-db-upgrade.php:337

Shortcodes 2

[paoc_details] includes\shortcode\paoc-details-shrt.php:143
[popup_anything] includes\shortcode\popupaoc-popup-shortcode.php:105
WordPress Hooks 35
actionadmin_menuincludes\admin\class-popupaoc-admin.php:20
actionadd_meta_boxesincludes\admin\class-popupaoc-admin.php:23
actionsave_postincludes\admin\class-popupaoc-admin.php:26
actionadmin_noticesincludes\admin\class-popupaoc-admin.php:29
actionadmin_initincludes\admin\class-popupaoc-admin.php:32
actionwpincludes\admin\class-popupaoc-admin.php:44
actionadmin_noticesincludes\admin\paoc-db-upgrade.php:36
actionadmin_menuincludes\admin\paoc-db-upgrade.php:48
actionpopupaoc_general_tagsincludes\admin\popup-tags\class-popup-tags.php:20
actionadmin_initincludes\admin\settings\register-settings.php:48
filterpopupaoc_sett_sanitize_generalincludes\admin\settings\register-settings.php:93
filterpopupaoc_sett_sanitize_display_ruleincludes\admin\settings\register-settings.php:107
actionwp_footerincludes\class-paoc-public.php:20
actionwp_enqueue_scriptsincludes\class-popupaoc-script.php:19
actionwp_enqueue_scriptsincludes\class-popupaoc-script.php:22
actionadmin_enqueue_scriptsincludes\class-popupaoc-script.php:25
actioninitincludes\popupaoc-post-types.php:53
filterpost_updated_messagesincludes\popupaoc-post-types.php:82
actionplugins_loadedpopup-anything-on-click.php:114
actionupdate_option_active_pluginspopup-anything-on-click.php:165
actionadmin_noticespopup-anything-on-click.php:221
actionadmin_menuwpos-analytics\includes\class-anylc-admin.php:45
actionadmin_menuwpos-analytics\includes\class-anylc-admin.php:48
actionadmin_initwpos-analytics\includes\class-anylc-admin.php:51
actionadmin_noticeswpos-analytics\includes\class-anylc-admin.php:54
actionadmin_footerwpos-analytics\includes\class-anylc-admin.php:57
actionwp_loadedwpos-analytics\includes\class-anylc-admin.php:60
actioninitwpos-analytics\includes\class-anylc-admin.php:63
filtercron_scheduleswpos-analytics\includes\class-anylc-admin.php:66
actionwpos_monthly_cron_hookwpos-analytics\includes\class-anylc-admin.php:69
actionrest_api_initwpos-analytics\includes\class-anylc-admin.php:72
filterrest_pre_serve_requestwpos-analytics\includes\class-anylc-admin.php:585
actionadmin_enqueue_scriptswpos-analytics\includes\class-anylc-script.php:20
actionactivated_pluginwpos-analytics\wpos-analytics.php:244
actionplugins_loadedwpos-analytics\wpos-analytics.php:258

Scheduled Events 1

wpos_monthly_cron_hook
Maintenance & Trust

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 20, 2026
PHP min version
Downloads1.3M

Community Trust

Rating88/100
Number of ratings84
Active installs30K
Alternatives

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions Alternatives

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

popup-builder-block

C
60

Powerful Popup Builder Block for Gutenberg block editor.

60K 1 unpatched
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

ays-popup-box

A
92

Build flexible popups and modal windows with multiple popup types, triggers, and display controls.

50K 17 CVEs
CartBounty – Save and recover abandoned carts for WooCommerce

CartBounty – Save and recover abandoned carts for WooCommerce

woo-save-abandoned-carts

A
99

Save abandoned carts and send automated abandoned cart recovery messages. Get more leads, reduce cart abandonment, and increase sales.

10K 1 CVE
FireBox Popups – Increase Sales and Grow Your Email List

FireBox Popups – Increase Sales and Grow Your Email List

firebox

A
99

Our WordPress Popup Plugin can help you create any kind of popup! Optin Popups, Exit Popup, Scroll Popup, Page Load Popup, Floating Bars and more!

8K 1 CVE
Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More

Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More

popup-maker-wp

A
99

Popup Maker plugin will help you run cleverer and more effective marketing popups for your website. Create the most optimal popup to boost your sales.

7K 1 CVE
Developer Profile

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions Developer Profile

Essential Plugin

33 plugins · 205K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
219 days
View full developer profile
Detection Fingerprints

How We Detect Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/popup-anything-on-click/assets/css/frontend.css/wp-content/plugins/popup-anything-on-click/assets/js/frontend.js/wp-content/plugins/popup-anything-on-click/assets/js/aoc-public.js
Script Paths
/wp-content/plugins/popup-anything-on-click/assets/js/frontend.js/wp-content/plugins/popup-anything-on-click/assets/js/aoc-public.js
Version Parameters
popup-anything-on-click/assets/css/frontend.css?ver=popup-anything-on-click/assets/js/frontend.js?ver=popup-anything-on-click/assets/js/aoc-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
paoc-popup-content-wrapperpaoc-popup-overlaypaoc-popup-closepaoc-popup-containerpaoc-popup-close-icon
Data Attributes
data-paoc-popup-id
JS Globals
popupaocPopupAnything
Shortcode Output
[popupaoc_popup id=""[paoc_details id="
FAQ

Frequently Asked Questions about Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions