WP-Safety

AI Popup Security & Risk Analysis

wordpress.org/plugins/popup-more

Popup AI is an advanced WordPress popup plugin that leverages the power of AI to create intelligent, highly customizable popups.

400 active installs v2.6.0 PHP + WP 3.8+ Updated Dec 7, 2025
popuppopups
99
A · Safe
CVEs total2
Unpatched0
Last CVEMay 14, 2024
Download
Safety Verdict

Is AI Popup Safe to Use in 2026?

Generally Safe

Score 99/100

AI Popup has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: May 14, 2024Updated 5mo ago
Risk Assessment

The "popup-more" v2.6.0 plugin exhibits a generally good security posture with a large majority of its code adhering to best practices. The static analysis reveals robust handling of SQL queries with a high percentage of prepared statements and proper output escaping. The absence of dangerous functions and file operations is also a positive indicator. However, concerns arise from the "taint analysis" which identified one high-severity flow with unsanitized paths. This, coupled with four flows with unsanitized paths, suggests a potential for attackers to manipulate input in ways that could lead to unexpected behavior or vulnerabilities.

The vulnerability history of this plugin is a significant concern. While there are no currently unpatched CVEs, the presence of two known medium-severity vulnerabilities, including Cross-Site Scripting and Path Traversal, indicates a recurring pattern of exploitable weaknesses. The recent discovery of these vulnerabilities (May 2024) suggests that the issues, even if patched, may have been present for a considerable time and potentially still exist in unpatched versions or could be reintroduced. The previous vulnerabilities point to a historical tendency to allow user-controlled input to influence critical operations like path manipulation or script execution.

In conclusion, "popup-more" v2.6.0 demonstrates strengths in secure coding practices like prepared statements and output escaping. However, the identified high-severity taint flow and historical medium-severity vulnerabilities, particularly in areas of input sanitization and path handling, necessitate careful consideration. The plugin's history suggests a need for ongoing vigilance and thorough testing to ensure that new versions do not reintroduce similar security flaws.

Key Concerns

  • High severity taint flow with unsanitized path
  • 4 flows with unsanitized paths
  • 2 known medium severity vulnerabilities
  • Capability check only on 1 entry point (out of 25)
Vulnerabilities
2 published

AI Popup Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-32800medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Popup More Popups <= 2.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 14, 2024 Patched in 2.3.3 (7d)
CVE-2024-0844medium · 4.7Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Popup More <= 2.2.4 - Authenticated (Admin+) Directory Traversal to Limited Local File Inclusion

Feb 1, 2024 Patched in 2.2.5 (9d)
Version History

AI Popup Release Timeline

v2.3.6
v1.7.72 CVEs
CVE-2024-0844 CVE-2024-32800
v1.7.62 CVEs
CVE-2024-0844 CVE-2024-32800
v1.7.52 CVEs
CVE-2024-0844 CVE-2024-32800
v1.7.42 CVEs
CVE-2024-0844 CVE-2024-32800
v1.7.22 CVEs
CVE-2024-0844 CVE-2024-32800
v1.7.12 CVEs
CVE-2024-0844 CVE-2024-32800
v1.7.02 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.92 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.82 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.72 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.62 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.52 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.42 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.32 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.22 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.12 CVEs
CVE-2024-0844 CVE-2024-32800
v1.6.02 CVEs
CVE-2024-0844 CVE-2024-32800
v1.5.92 CVEs
CVE-2024-0844 CVE-2024-32800
v1.5.82 CVEs
CVE-2024-0844 CVE-2024-32800
Code Analysis
Analyzed Mar 16, 2026

AI Popup Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
57 prepared
Unescaped Output
100
1077 escaped
Nonce Checks
22
Capability Checks
1
File Operations
0
External Requests
2
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

97% prepared59 total queries

Output Escaping

92% escaped1177 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

18 flows4 with unsanitized paths
pageSelectionMetaBox (classes\Actions.php:460)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

AI Popup Attack Surface

Entry Points25
Unprotected0

AJAX Handlers 24

authwp_ajax_ypm-change-element-dataclasses\Ajax.php:18
authwp_ajax_ypm-remove-element-from-listclasses\Ajax.php:19
authwp_ajax_ypm-add-sub-option-optionclasses\Ajax.php:20
authwp_ajax_ypm-delete-sub-optionclasses\Ajax.php:21
authwp_ajax_ypm-sub-option-changeclasses\Ajax.php:22
authwp_ajax_ypm_change_popup_statusclasses\Ajax.php:23
authwp_ajax_ypm_export_subscriptionclasses\Ajax.php:24
authwp_ajax_ypm_dont_show_review_noticeclasses\Ajax.php:27
authwp_ajax_ypm_change_review_show_periodclasses\Ajax.php:28
authwp_ajax_ypm_increment_popup_countclasses\Ajax.php:30
noprivwp_ajax_ypm_increment_popup_countclasses\Ajax.php:31
authwp_ajax_ypm_reset_view_countclasses\Ajax.php:33
authwp_ajax_ypm_send_feature_suggestionclasses\Ajax.php:34
authwp_ajax_ypm_hide_suggestionclasses\Ajax.php:35
authwp_ajax_ypm_select2_search_dataclasses\Ajax.php:38
authwp_ajax_ypm_edit_conditions_rowclasses\Ajax.php:39
authwp_ajax_ypm_add_conditions_rowclasses\Ajax.php:40
authwp_ajax_ypm_subscribedclasses\Ajax.php:42
noprivwp_ajax_ypm_subscribedclasses\Ajax.php:43
authwp_ajax_ypm_subscribers_deleteclasses\Ajax.php:44
authwp_ajax_ypm-shape-form-elementclasses\Ajax.php:46
authwp_ajax_ypm_chatgpt_chatclasses\Ajax.php:48
noprivwp_ajax_ypm_chatgpt_chatclasses\Ajax.php:49
authwp_ajax_ypm_check_AI_KEYclasses\Ajax.php:50

Shortcodes 1

[ypm_popup] classes\Actions.php:43
WordPress Hooks 72
actioninitclasses\Actions.php:30
actionadmin_initclasses\Actions.php:31
actionadd_meta_boxesclasses\Actions.php:32
actionupgrader_process_completeclasses\Actions.php:34
actionupgrader_post_installclasses\Actions.php:35
actionadmin_initclasses\Actions.php:38
actionsave_postclasses\Actions.php:40
actionadmin_enqueue_scriptsclasses\Actions.php:41
actionwp_enqueue_scriptsclasses\Actions.php:44
actionmedia_buttonsclasses\Actions.php:45
actionmedia_buttonsclasses\Actions.php:46
actionadmin_footerclasses\Actions.php:47
actionadmin_footerclasses\Actions.php:48
actionadd_meta_boxesclasses\Actions.php:49
actionplugins_loadedclasses\Actions.php:50
actionadmin_action_ypm_duplicate_post_as_draftclasses\Actions.php:51
actionadmin_headclasses\Actions.php:53
filterpll_get_post_typesclasses\Actions.php:54
actiondefault_contentclasses\Actions.php:55
actionYpmAiChatMessageclasses\Actions.php:56
actionadmin_menuclasses\Actions.php:59
actionwp_headclasses\Actions.php:233
actionadmin_noticesclasses\Actions.php:537
actionnetwork_admin_noticesclasses\Actions.php:538
actionuser_admin_noticesclasses\Actions.php:539
actionadmin_post_ypmSaveSettingsclasses\admin\AdminPost.php:13
actionelementor/widgets/registerclasses\admin\ElementorWidget.php:63
actionelementor/widgets/registerclasses\admin\ElementorWidget.php:120
actionelementor/frontend/after_enqueue_stylesclasses\admin\ElementorWidget.php:128
actionadmin_footerclasses\dataTable\ListTable.php:139
filteradmin_urlclasses\Filters.php:13
filterypmRenderContentclasses\Filters.php:14
filterypmSavedDataclasses\Filters.php:15
filterpost_row_actionsclasses\Filters.php:16
filterypmRenderContentclasses\Filters.php:17
filterypmRenderContentEndclasses\Filters.php:18
filterYpmDefaultDataOptionsclasses\Filters.php:19
filtersafecss_filter_attr_allow_cssclasses\Filters.php:20
actionwp_footerclasses\frontend\IncludeManager.php:73
actionwp_footerclasses\frontend\IncludeManager.php:89
filterypmDefaultOptionsclasses\frontend\popups\AgerestrictionPopup.php:12
filterypmDefaultOptionsclasses\frontend\popups\AichatPopup.php:14
filterypmDefaultOptionsclasses\frontend\popups\ContactformPopup.php:18
filterypmDefaultOptionsclasses\frontend\popups\CountdownPopup.php:13
filterypmDefaultOptionsclasses\frontend\popups\GamificationPopup.php:12
filterypmRenderContentclasses\frontend\popups\GamificationPopup.php:13
filterypmMetaboxesclasses\frontend\popups\ImagePopup.php:8
filterypmDefaultOptionsclasses\frontend\popups\ImagePopup.php:9
filterypmMetaboxesclasses\frontend\popups\LinkPopup.php:8
filterypmDefaultOptionsclasses\frontend\popups\SocialPopup.php:19
filterypmDefaultOptionsclasses\frontend\popups\SubscriptionPopup.php:29
filterypmDefaultOptionsclasses\frontend\popups\WheelPopup.php:11
filterypmYoutubeVideoUrlclasses\frontend\popups\YoutubePopupPro.php:13
filterypmYoutubeTypesclasses\frontend\popups\YoutubePopupPro.php:14
filterypmNamesMapclasses\frontend\popups\YoutubePopupPro.php:15
actionadmin_footerclasses\frontend\ScriptsLoader.php:125
filterypmDefaultOptionsclasses\popups\AgerestrictionPopup.php:12
filterypmDefaultOptionsclasses\popups\AichatPopup.php:14
filterypmDefaultOptionsclasses\popups\GamificationPopup.php:12
filterypmRenderContentclasses\popups\GamificationPopup.php:13
filterypmMetaboxesclasses\popups\ImagePopup.php:8
filterypmDefaultOptionsclasses\popups\ImagePopup.php:9
filterypmDefaultOptionsclasses\popups\SubscriptionPopup.php:29
actionadmin_menuclasses\YpmRegistration.php:496
filterypmConditionsDisplayKeysconfig\data-config.php:773
filterycdConditionsDisplayAttributesconfig\data-config.php:774
filterycdConditionsDisplayValuesconfig\data-config.php:775
filterypmPopupTargetParamshelpers\ConfigDataHelper.php:60
filterypmPopupTargetDatahelpers\ConfigDataHelper.php:61
filterypmPopupTargetTypeshelpers\ConfigDataHelper.php:62
filterypmPopupTargetAttrshelpers\ConfigDataHelper.php:63
filterypmPopupPageTemplateshelpers\ConfigDataHelper.php:64
Maintenance & Trust

AI Popup Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 7, 2025
PHP min version
Downloads61K

Community Trust

Rating92/100
Number of ratings21
Active installs400
Alternatives

AI Popup Alternatives

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

optinmonster

A
96

🤩 Make popups & optin forms to get more email newsletter subscribers, leads, and sales - #1 most popular popup builder plugin! 🚀

1.0M 6 CVEs
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder

popup-maker

A
91

Want to boost sales & marketing efforts? Use your favorite forms & builder. Unlimited popups & impressions, keep your data, no monthly subscription.

700K 18 CVEs
Advanced Popups

Advanced Popups

advanced-popups

A
100

Display high-converting newsletter popups, a cookie notice, or a notification with the light-weight yet feature-rich plugin.

60K 1 CVE
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

ays-popup-box

A
89

Build flexible popups and modal windows with multiple popup types, triggers, and display controls.

50K 18 CVEs
WP Popups – WordPress Popup builder

WP Popups – WordPress Popup builder

wp-popups-lite

A
95

WP Popups is the best popup maker for WordPress. Easy but powerful plugin with display filters, scroll-triggered popups, and Gutenberg block editor.

30K 6 CVEs
Developer Profile

AI Popup Developer Profile

devfelixmoira

6 plugins · 2K total installs

80
trust score
Avg Security Score
80/100
Avg Patch Time
8 days
View full developer profile
Detection Fingerprints

How We Detect AI Popup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/popup-more/admin/css/settings.css/wp-content/plugins/popup-more/admin/css/style.css/wp-content/plugins/popup-more/admin/js/settings.js/wp-content/plugins/popup-more/admin/js/shortcode-manager.js/wp-content/plugins/popup-more/admin/js/tinymce_button.js/wp-content/plugins/popup-more/assets/css/ypm-front.css/wp-content/plugins/popup-more/assets/css/ypm-front.min.css/wp-content/plugins/popup-more/assets/js/ypm-front.js+3 more
Script Paths
/wp-content/plugins/popup-more/admin/js/settings.js/wp-content/plugins/popup-more/admin/js/shortcode-manager.js/wp-content/plugins/popup-more/admin/js/tinymce_button.js/wp-content/plugins/popup-more/assets/js/ypm-front.js/wp-content/plugins/popup-more/assets/js/ypm-popup.js
Version Parameters
popup-more/admin/css/settings.css?ver=popup-more/admin/css/style.css?ver=popup-more/admin/js/settings.js?ver=popup-more/admin/js/shortcode-manager.js?ver=popup-more/admin/js/tinymce_button.js?ver=popup-more/assets/css/ypm-front.css?ver=popup-more/assets/js/ypm-front.js?ver=popup-more/assets/js/ypm-popup.js?ver=

HTML / DOM Fingerprints

CSS Classes
ypm-popup-contentypm_popupypm-popup-closeypm-popup-overlayypm-popup-wrap
HTML Comments
YPM_POPUP_POST_TYPE
Data Attributes
ypm_typeypm_module_id
JS Globals
YPM_POPUP_POST_TYPEYPM_IMAGE_POST_TYPEYPM_LINK_POST_TYPEYPM_GAMIFICATION_POST_TYPE
Shortcode Output
[ypm_popup
FAQ

Frequently Asked Questions about AI Popup