WP-Safety

Smart Popup by Supsystic Security & Risk Analysis

wordpress.org/plugins/popup-by-supsystic

Create targeted popups for lead capture, event notifications, announcements, and promotions — shown at the right time without disrupting your visitors …

10K active installs v1.11.0 PHP + WP 6.0+ Updated Mar 30, 2026
exit-intentlead-capturemodalpopuppopups
91
A · Safe
CVEs total8
Unpatched0
Last CVENov 15, 2024
Plugin page Download
Safety Verdict

Is Smart Popup by Supsystic Safe to Use in 2026?

Generally Safe

Score 91/100

Smart Popup by Supsystic has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

8 known CVEsLast CVE: Nov 15, 2024Updated 1mo ago
Risk Assessment

The plugin 'popup-by-supsystic' v1.10.38 presents a mixed security posture. While the static analysis indicates a small attack surface with no immediately apparent unprotected entry points, significant concerns arise from the presence of dangerous functions and a substantial history of vulnerabilities. The use of `unserialize` is a notable red flag, as it can lead to Remote Code Execution if not handled with extreme care and proper input sanitization. Furthermore, the fact that 50% of outputs are not properly escaped suggests a potential for Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website.

The plugin's vulnerability history is particularly concerning, with a total of 8 known CVEs, including 1 critical, 2 high, and 5 medium severity vulnerabilities. The types of past vulnerabilities, such as Improper Neutralization of Special Elements Used in a Template Engine, Missing Authorization, CSRF, Prototype Pollution, Information Exposure, and XSS, indicate a recurring pattern of insecure coding practices. The fact that a critical vulnerability was last patched only recently (though the date seems to be a placeholder in the provided data) does not negate the history of past serious flaws.

In conclusion, despite a seemingly limited attack surface in the current version's static analysis, the plugin's history of critical and high-severity vulnerabilities, coupled with the use of dangerous functions like `unserialize` and a high rate of unescaped output, warrants a cautious approach. The past patterns suggest a need for thorough ongoing security audits and a high level of vigilance when using this plugin.

Key Concerns

  • Dangerous function used (unserialize)
  • Low percentage of properly escaped output
  • Significant history of critical/high CVEs
  • History of critical severity vulnerabilities
  • History of high severity vulnerabilities
  • History of medium severity vulnerabilities
Vulnerabilities
8 published

Smart Popup by Supsystic Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
1 CVE in 2021
2021
1 CVE in 2022
2022
3 CVEs in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
5

8 total CVEs

CVE-2024-52434critical · 9.1Improper Neutralization of Special Elements Used in a Template Engine

Popup by Supsystic <= 1.10.29 - Authenticated (Admin+) Remote Code Execution

Nov 15, 2024 Patched in 1.10.30 (147d)
CVE-2024-31421medium · 4.3Missing Authorization

Popup by Supsystic <= 1.10.27 - Missing Authorization

Apr 10, 2024 Patched in 1.10.28 (7d)
CVE-2023-46197medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Popup by Supsystic <= 1.10.19 - Missing Authorization to Sensitive Information Exposure

Oct 18, 2023 Patched in 1.10.20 (97d)
CVE-2023-39997medium · 6.3Cross-Site Request Forgery (CSRF)

Popup by Supsystic <= 1.10.19 - Cross-Site Request Forgery

Aug 11, 2023 Patched in 1.10.20 (165d)
CVE-2023-3186high · 7.1Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Popup by Supsystic <= 1.10.18 - Prototype Pollution

Jun 23, 2023 Patched in 1.10.19 (214d)
CVE-2022-0424medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Popup by Supsystic <= 1.10.8 - Sensitive Information Disclosure

Apr 18, 2022 Patched in 1.10.9 (645d)
CVE-2021-24275medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup by Supsystic <= 1.10.4 - Reflected Cross-Site Scripting

Apr 19, 2021 Patched in 1.10.5 (1009d)
CVE-2016-10915high · 8.8Cross-Site Request Forgery (CSRF)

Popup by Supsystic < 1.7.9 - Cross-Site Request Forgery

Sep 7, 2016 Patched in 1.7.9 (2694d)
Version History

Smart Popup by Supsystic Release Timeline

v1.11.0Current
v1.10.38
v1.10.36
v1.10.35
v1.10.34
v1.10.33
v1.10.31
v1.10.30
v1.10.291 CVE
CVE-2024-52434
v1.10.281 CVE
CVE-2024-52434
v1.10.272 CVEs
CVE-2024-31421 CVE-2024-52434
v1.10.262 CVEs
CVE-2024-31421 CVE-2024-52434
v1.10.252 CVEs
CVE-2024-31421 CVE-2024-52434
v1.10.242 CVEs
CVE-2024-31421 CVE-2024-52434
v1.10.232 CVEs
CVE-2024-31421 CVE-2024-52434
v1.10.222 CVEs
CVE-2024-31421 CVE-2024-52434
v1.10.212 CVEs
CVE-2024-31421 CVE-2024-52434
v1.10.202 CVEs
CVE-2024-31421 CVE-2024-52434
v1.10.194 CVEs
CVE-2023-39997 CVE-2024-31421 CVE-2024-52434 +1 more
v1.10.185 CVEs
CVE-2023-39997 CVE-2023-3186 CVE-2024-31421 +2 more
Code Analysis
Analyzed Mar 16, 2026

Smart Popup by Supsystic Code Analysis

Dangerous Functions
3
Raw SQL Queries
3
5 prepared
Unescaped Output
397
395 escaped
Nonce Checks
9
Capability Checks
16
File Operations
29
External Requests
4
Bundled Libraries
1

Dangerous Functions Found

unserializeif (@!unserialize($data)) {classes\utils.php:22
unserializereturn unserialize($fixed);classes\utils.php:28
unserializereturn unserialize($data);classes\utils.php:30

Bundled Libraries

jQuery

SQL Query Safety

63% prepared8 total queries

Output Escaping

50% escaped792 total outputs
Attack Surface

Smart Popup by Supsystic Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[embed] modules\popup\views\popup.php:857
WordPress Hooks 48
actionadmin_noticesclasses\errors.php:54
filterthe_contentclasses\errors.php:56
actioninitclasses\frame.php:119
actioninitclasses\frame.php:145
actioninitclasses\frame.php:295
actionactivated_pluginclasses\modInstaller.php:160
actionactivated_pluginclasses\utils.php:399
filterwp_kses_allowed_htmlfunctions.php:409
actionadmin_menumodules\adminmenu\mod.php:10
filterwp_mail_content_typemodules\mail\mod.php:48
actioninitmodules\options\mod.php:12
actionwp_footermodules\popup\mod.php:14
actionshutdownmodules\popup\mod.php:15
filterwp_nav_menu_objectsmodules\popup\mod.php:16
actionadmin_bar_menumodules\popup\mod.php:18
actionwp_footermodules\popup\mod.php:19
actionadmin_bar_initmodules\popup\mod.php:21
filteroembed_resultmodules\popup\views\popup.php:674
actionadmin_footermodules\supsystic_promo\mod.php:17
actioninitmodules\supsystic_promo\mod.php:19
actionadmin_enqueue_scriptsmodules\supsystic_promo\mod.php:29
actionadmin_enqueue_scriptsmodules\templates\mod.php:26
actioninitmodules\templates\mod.php:27
filtersafe_style_cssmodules\templates\mod.php:53
actioninitmodules\tgm_promo\classes\class-tgm-plugin-activation.php:268
filterload_textdomain_mofilemodules\tgm_promo\classes\class-tgm-plugin-activation.php:269
actioninitmodules\tgm_promo\classes\class-tgm-plugin-activation.php:272
actionadmin_menumodules\tgm_promo\classes\class-tgm-plugin-activation.php:421
actionadmin_headmodules\tgm_promo\classes\class-tgm-plugin-activation.php:422
filterinstall_plugin_complete_actionsmodules\tgm_promo\classes\class-tgm-plugin-activation.php:425
filterupdate_plugin_complete_actionsmodules\tgm_promo\classes\class-tgm-plugin-activation.php:426
actionadmin_noticesmodules\tgm_promo\classes\class-tgm-plugin-activation.php:429
actionadmin_initmodules\tgm_promo\classes\class-tgm-plugin-activation.php:430
actionadmin_enqueue_scriptsmodules\tgm_promo\classes\class-tgm-plugin-activation.php:431
actionload-plugins.phpmodules\tgm_promo\classes\class-tgm-plugin-activation.php:436
actionswitch_thememodules\tgm_promo\classes\class-tgm-plugin-activation.php:439
actionswitch_thememodules\tgm_promo\classes\class-tgm-plugin-activation.php:442
actionadmin_initmodules\tgm_promo\classes\class-tgm-plugin-activation.php:447
actionswitch_thememodules\tgm_promo\classes\class-tgm-plugin-activation.php:452
actionload_textdomain_mofilemodules\tgm_promo\classes\class-tgm-plugin-activation.php:475
filterupgrader_source_selectionmodules\tgm_promo\classes\class-tgm-plugin-activation.php:889
actionplugins_loadedmodules\tgm_promo\classes\class-tgm-plugin-activation.php:2112
filtertgmpa_table_data_itemsmodules\tgm_promo\classes\class-tgm-plugin-activation.php:2236
filterupgrader_source_selectionmodules\tgm_promo\classes\class-tgm-plugin-activation.php:2977
actionadmin_initmodules\tgm_promo\classes\class-tgm-plugin-activation.php:3147
actionupgrader_process_completemodules\tgm_promo\classes\class-tgm-plugin-activation.php:3242
filterupgrader_post_installmodules\tgm_promo\classes\class-tgm-plugin-activation.php:3301
filterupgrader_post_installmodules\tgm_promo\classes\class-tgm-plugin-activation.php:3446
Maintenance & Trust

Smart Popup by Supsystic Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 30, 2026
PHP min version
Downloads1.6M

Community Trust

Rating90/100
Number of ratings340
Active installs10K
Alternatives

Smart Popup by Supsystic Alternatives

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

ays-popup-box

A
89

Build flexible popups and modal windows with multiple popup types, triggers, and display controls.

50K 18 CVEs
Poptin – Exit Pop Ups & Email Popups

Poptin – Exit Pop Ups & Email Popups

poptin

A
100

Free exit intent popup builder, gamified popups with spin the wheel, contact form builder & lead generation pop ups platform for your website. 🎉

20K 1 CVE
Pop-up

Pop-up

pop-up-pop-up

A
99

Pop-up Popups

10K 2 CVEs
Modal Popup Box

Modal Popup Box

modal-popup-box

A
94

Create and manage customizable modal popup boxes with CSS animations. Embed images, videos, forms, shortcodes, and more.

2K 2 CVEs
Nelio Popups

Nelio Popups

nelio-popups

A
98

An intuitive popup designer based on open WordPress technologies

1K 2 CVEs
Developer Profile

Smart Popup by Supsystic Developer Profile

supsystic

7 plugins · 97K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
589 days
View full developer profile
Detection Fingerprints

How We Detect Smart Popup by Supsystic

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/popup-by-supsystic/classes/css//wp-content/plugins/popup-by-supsystic/js/
Script Paths
/wp-content/plugins/popup-by-supsystic/js/popup.js
Version Parameters
popup-by-supsystic/classes/css/style.css?ver=popup-by-supsystic/js/popup.js?ver=

HTML / DOM Fingerprints

CSS Classes
pps-popup-contentpps-popup-overlay
HTML Comments
<!-- popup-by-supsystic START --><!-- popup-by-supsystic END -->
Data Attributes
data-pps-iddata-pps-type
JS Globals
pps
REST Endpoints
/wp-json/pps/v1/popup/
FAQ

Frequently Asked Questions about Smart Popup by Supsystic