Popup Box – Easily Create WordPress Popups Security & Risk Analysis

The 'popup-box' plugin version 3.2.14 exhibits a mixed security posture. On the positive side, it demonstrates good practices by having all identified entry points (AJAX handlers, shortcodes) protected by nonce and capability checks, and a high percentage of SQL queries utilize prepared statements, with an even higher percentage of output being properly escaped. File operations and external HTTP requests are absent, which reduces the attack surface. However, the static analysis reveals a concerning finding: 100% of the analyzed taint flows have unsanitized paths. While no critical or high severity taint flows were detected, the presence of 3 high severity taint flows indicates potential vulnerabilities that could be exploited if certain conditions are met. The vulnerability history is a significant concern, with 4 previously disclosed CVEs, all of medium severity. The common vulnerability types (OS Command Injection, CSRF, PHP Remote File Inclusion) suggest a pattern of weaknesses that have been exploited in the past. Although no currently unpatched vulnerabilities are listed, the historical prevalence of these types of issues warrants caution. The plugin's last reported vulnerability in 2026 suggests the data might be from the future or contain an error, but the historical pattern remains relevant.

Overall, the plugin has made strides in implementing fundamental security controls like authentication and output escaping. The lack of critical or high severity taint flows in the current analysis is encouraging. However, the complete lack of sanitization in all analyzed taint flows, coupled with a history of diverse and serious vulnerability types, presents a notable risk. The plugin requires careful monitoring and prompt patching of any newly discovered vulnerabilities, and a deeper investigation into the nature of the unsanitized paths is recommended.