WP-Safety

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Security & Risk Analysis

wordpress.org/plugins/popup-builder-block

Powerful Popup Builder Block for Gutenberg block editor.

60K active installs v2.2.4 PHP 7.4+ WP 6.2+ Updated Mar 9, 2026
exit-popuppopuppopup-builderpopup-builder-blockspopup-maker
60
C · Use Caution
CVEs total7
Unpatched1
Last CVEFeb 9, 2026
Plugin page Download
Safety Verdict

Is Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Safe to Use in 2026?

Use With Caution

Score 60/100

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

7 known CVEs 1 unpatched Last CVE: Feb 9, 2026Updated 25d ago
Risk Assessment

The "popup-builder-block" plugin v2.2.4 presents a mixed security profile. On the positive side, the static analysis reveals strong adherence to secure coding practices in several areas. All identified SQL queries utilize prepared statements, indicating a good defense against SQL injection. The vast majority of output is properly escaped, mitigating cross-site scripting (XSS) risks. Furthermore, the plugin incorporates nonce and capability checks, and its attack surface appears to be well-protected by authorization mechanisms.

However, significant concerns arise from the plugin's historical vulnerability record. With seven known CVEs, including one currently unpatched, and a recent vulnerability discovered in 2026, this indicates a pattern of security flaws. The types of past vulnerabilities, such as missing authorization, information exposure, SSRF, and SQL injection, are serious and suggest underlying architectural weaknesses or ongoing maintenance issues. The presence of an unpatched vulnerability is particularly alarming, as it leaves users exposed to known exploits.

In conclusion, while the current static analysis shows some good security implementations, the plugin's past strongly suggests a need for caution. The unpatched vulnerability is a critical immediate risk. The recurring nature of high-severity vulnerability types in its history points to potential systemic issues that may not be fully captured by a single static analysis run. Users should prioritize updating to a version that addresses all known vulnerabilities, especially the unpatched one.

Key Concerns

  • Unpatched CVE
  • History of high severity vulnerabilities
  • History of SSRF vulnerabilities
  • History of SQL Injection vulnerabilities
  • History of Exposure of Sensitive Information
  • History of Missing Authorization vulnerabilities
  • One output not properly escaped
Vulnerabilities
7

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Security Vulnerabilities

CVEs by Year

4 CVEs in 2025 · unpatched
2025
3 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
3
Medium
4

7 total CVEs

CVE-2025-14895medium · 5.4Missing Authorization

PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion

Feb 9, 2026 Patched in 2.2.1 (1d)
CVE-2025-13192high · 8.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints

Feb 4, 2026 Patched in 2.2.1 (1d)
CVE-2025-14441medium · 5.3Missing Authorization

Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion

Jan 5, 2026 Patched in 2.2.1 (1d)
CVE-2025-69026medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

PopupKit <= 2.2.1 - Authenticated (Subscriber+) Information Exposure

Dec 29, 2025Unpatched
CVE-2025-14314medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

PopupKit <= 2.1.5 - Authenticated (Subscriber+) SQL Injection

Nov 21, 2025 Patched in 2.2.0 (29d)
CVE-2025-10861high · 7.5Server-Side Request Forgery (SSRF)

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.4 - Unauthenticated Server-Side Request Forgery

Oct 23, 2025 Patched in 2.1.5 (1d)
CVE-2025-10862high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.3 - Unauthenticated SQL Injection via 'id'

Oct 8, 2025 Patched in 2.1.4 (1d)
Code Analysis
Analyzed Mar 16, 2026

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
48 prepared
Unescaped Output
1
32 escaped
Nonce Checks
6
Capability Checks
9
File Operations
3
External Requests
7
Bundled Libraries
0

SQL Query Safety

100% prepared48 total queries

Output Escaping

97% escaped33 total outputs
Attack Surface

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 1

authwp_ajax_pbb_trigger_font_gatheringincludes\Hooks\FontFamilyGenerator.php:21

Shortcodes 1

[popupkit] includes\Hooks\PopupGenerator.php:26
WordPress Hooks 39
actionadmin_menuincludes\Admin\Admin.php:28
actionadmin_enqueue_scriptsincludes\Admin\Admin.php:29
actioninitincludes\Config\Blocks.php:29
actionblock_categories_allincludes\Config\Blocks.php:30
filterrender_blockincludes\Config\Blocks.php:31
actioninitincludes\Config\PostMeta.php:10
actionpbb_analytics_expiry_cleanincludes\Hooks\AnalyticsExpiry.php:12
actionsave_postincludes\Hooks\AssetGenerator.php:14
actionadmin_initincludes\Hooks\Cpt.php:18
actioninitincludes\Hooks\Cpt.php:19
filterallowed_block_types_allincludes\Hooks\Cpt.php:20
filteruse_block_editor_for_post_typeincludes\Hooks\Cpt.php:23
actionadmin_initincludes\Hooks\DatabaseUpdater.php:17
actionenqueue_block_editor_assetsincludes\Hooks\Enqueue.php:18
actionenqueue_block_assetsincludes\Hooks\Enqueue.php:19
actionpopup_builder_block/before_popup_renderincludes\Hooks\Enqueue.php:20
actionsave_postincludes\Hooks\FontFamilyGenerator.php:23
actionwp_resource_hintsincludes\Hooks\FontFamilyGenerator.php:24
actionpopup_builder_block/before_popup_renderincludes\Hooks\FontFamilyGenerator.php:25
actionenqueue_block_assetsincludes\Hooks\FontFamilyGenerator.php:26
actionadmin_enqueue_scriptsincludes\Hooks\FontFamilyGenerator.php:28
actionpopup_builder_block/gathering_fontsincludes\Hooks\FontFamilyGenerator.php:29
actionwpincludes\Hooks\PopupGenerator.php:24
actionwp_footerincludes\Hooks\PopupGenerator.php:25
filtertemplate_includeincludes\Hooks\Preview.php:17
filtertemplate_redirectincludes\Hooks\Preview.php:18
filtershow_admin_barincludes\Hooks\Preview.php:70
filtertiny_mce_pluginsincludes\Hooks\Preview.php:78
filterwp_resource_hintsincludes\Hooks\Preview.php:79
actionwp_enqueue_scriptsincludes\Hooks\ThirdPartyCompatibility.php:8
filterupload_mimesincludes\Libs\UnfilteredFileSupport.php:22
filterwp_handle_upload_prefilterincludes\Libs\UnfilteredFileSupport.php:23
filterwp_check_filetype_and_extincludes\Libs\UnfilteredFileSupport.php:24
actionrest_api_initincludes\Routes\Api.php:12
filterupload_mimesincludes\Routes\ProcessDownload.php:92
filterplugin_action_linkspopup-builder-block.php:56
filterplugin_row_metapopup-builder-block.php:59
actionplugins_loadedpopup-builder-block.php:67
actioninitpopup-builder-block.php:70

Scheduled Events 1

pbb_analytics_expiry_clean
Maintenance & Trust

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version7.4
Downloads285K

Community Trust

Rating100/100
Number of ratings6
Active installs60K
Alternatives

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Alternatives

Popup Builder – Create highly converting, mobile friendly marketing popups.

Popup Builder – Create highly converting, mobile friendly marketing popups.

popup-builder

B
76

Increase Sales, Lead Generation, Conversion rates and receive good Call to Action rates with smart WordPress popup plugin.

200K 23 CVEs
WP Popups – WordPress Popup builder

WP Popups – WordPress Popup builder

wp-popups-lite

A
95

WP Popups is the best popup maker for WordPress. Easy but powerful plugin with display filters, scroll-triggered popups, and Gutenberg block editor.

30K 6 CVEs
CM Pop-Up – Create engaging popups to capture attention and boost interaction

CM Pop-Up – Create engaging popups to capture attention and boost interaction

cm-pop-up-banners

A
94

Create and customize popups. Display messages, Call to actions, promotions, or announcements to engage visitors and boost interaction.

9K 5 CVEs
Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More

Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More

popup-maker-wp

A
99

Popup Maker plugin will help you run cleverer and more effective marketing popups for your website. Create the most optimal popup to boost your sales.

7K 1 CVE
WP Popup Builder – Popup Forms and Marketing Lead Generation

WP Popup Builder – Popup Forms and Marketing Lead Generation

wp-popup-builder

C
61

WP Popup Builder is a powerful tool to create amazing popup for your site. Its drag and drop feature help to create form in very easy step without hav &hellip;

3K 1 unpatched
Developer Profile

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Developer Profile

Roxnor

15 plugins · 3.0M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
118 days
View full developer profile
Detection Fingerprints

How We Detect Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/popup-builder-block/build/blocks/PopupBuilderBlock/index.js/wp-content/plugins/popup-builder-block/build/blocks/PopupBuilderBlock/editor.asset.php/wp-content/plugins/popup-builder-block/build/blocks/PopupBuilderBlock/frontend.asset.php/wp-content/plugins/popup-builder-block/build/index.asset.php/wp-content/plugins/popup-builder-block/build/frontend.asset.php/wp-content/plugins/popup-builder-block/includes/Admin/assets/css/admin.css/wp-content/plugins/popup-builder-block/includes/Admin/assets/js/admin.js/wp-content/plugins/popup-builder-block/assets/css/frontend.css+1 more
Script Paths
/wp-content/plugins/popup-builder-block/build/blocks/PopupBuilderBlock/index.js/wp-content/plugins/popup-builder-block/build/blocks/PopupBuilderBlock/editor.asset.php/wp-content/plugins/popup-builder-block/build/blocks/PopupBuilderBlock/frontend.asset.php/wp-content/plugins/popup-builder-block/build/index.asset.php/wp-content/plugins/popup-builder-block/build/frontend.asset.php/wp-content/plugins/popup-builder-block/includes/Admin/assets/js/admin.js+1 more
Version Parameters
popup-builder-block/build/blocks/PopupBuilderBlock/index.js?ver=popup-builder-block/build/blocks/PopupBuilderBlock/editor.asset.php?ver=popup-builder-block/build/blocks/PopupBuilderBlock/frontend.asset.php?ver=popup-builder-block/build/index.asset.php?ver=popup-builder-block/build/frontend.asset.php?ver=popup-builder-block/includes/Admin/assets/css/admin.css?ver=popup-builder-block/includes/Admin/assets/js/admin.js?ver=popup-builder-block/assets/css/frontend.css?ver=popup-builder-block/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
popup-builder-block-editor-wrapperpopup-builder-block-editor-container
HTML Comments
<!-- Popup Builder Block plugin activation hook --><!-- Popup Builder Block plugin deactivation hook --><!-- PopupKit Admin Menu --><!-- PopupKit Campaigns Submenu -->+2 more
Data Attributes
data-popup-iddata-popup-selector
JS Globals
PopupBuilderBlock
FAQ

Frequently Asked Questions about Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers