Does PopupAlly have any unpatched vulnerabilities?

No. All known vulnerabilities in PopupAlly have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is PopupAlly compatible with WordPress 6.8.5?

According to WordPress.org data, PopupAlly 2.1.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is PopupAlly updated?

PopupAlly was last updated on May 22, 2025. Frequent updates are generally a positive security signal.

What is PopupAlly's security score?

PopupAlly has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PopupAlly Security & Risk Analysis

wordpress.org/plugins/popupally

PopupAlly allows you to create advanced popup signup forms in under 5 minutes without dealing with messy code.

3K active installs v2.1.6 PHP + WP 6.0+ Updated May 22, 2025

conversionfree-popupslightboxpopupssign-up-form

A · Safe

CVEs total3

Unpatched0

Last CVEMay 20, 2024

Plugin page Download

Safety Verdict

Is PopupAlly Safe to Use in 2026?

Generally Safe

Score 98/100

PopupAlly has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: May 20, 2024Updated 10mo ago

Risk Assessment

The static analysis of PopupAlly v2.1.6 reveals a generally good security posture with a very small attack surface and a high percentage of properly escaped outputs. The absence of dangerous functions, external HTTP requests, and any identified taint flows are positive indicators. However, the presence of a single SQL query that does not utilize prepared statements is a notable concern, as this could be a potential vector for SQL injection vulnerabilities if not handled carefully on the server side.

The plugin's vulnerability history, with 3 known medium-severity CVEs, primarily related to Cross-site Scripting and Cross-Site Request Forgery, suggests past security weaknesses. While currently unpatched vulnerabilities are reported as zero, the recurring nature of these vulnerability types indicates a need for ongoing vigilance and thorough code review. The most recent vulnerability was as recent as May 20, 2024, suggesting that the development team is actively addressing issues but that past vulnerabilities may indicate potential for future discoveries if not properly remediated.

In conclusion, PopupAlly v2.1.6 presents a mixed security profile. Its limited attack surface and robust output escaping are strengths. The primary weaknesses lie in the unescaped SQL query and the historical pattern of medium-severity vulnerabilities, particularly XSS and CSRF, which warrant careful consideration. The absence of current unpatched critical or high-severity vulnerabilities is reassuring, but the past trend requires a proactive approach to security.

Key Concerns

Raw SQL query without prepared statements
Medium severity vulnerabilities in history (3 total)

Vulnerabilities

PopupAlly Security Vulnerabilities

CVEs by Year

3 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2024-34796medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PopupAlly <= 2.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 20, 2024 Patched in 2.1.2 (10d)

CVE-2024-33639medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PopupAlly <= 2.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 25, 2024 Patched in 2.1.2 (27d)

CVE-2024-23520medium · 4.3Cross-Site Request Forgery (CSRF)

PopupAlly <= 2.1.0 - Cross-Site Request Forgery via optin_submit_callback

Jan 30, 2024 Patched in 2.1.1 (4d)

Code Analysis

Analyzed Mar 16, 2026

PopupAlly Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

102 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

97% escaped105 total outputs

Attack Surface

PopupAlly Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_popupally_free_optin_submitpopup-ally.php:92

WordPress Hooks 8

actionplugins_loadedpopup-ally.php:82

actionadmin_enqueue_scriptspopup-ally.php:85

actionadd_meta_boxespopup-ally.php:87

actionadmin_menupopup-ally.php:90

actionadmin_initpopup-ally.php:91

actionwp_enqueue_scriptspopup-ally.php:94

actionwp_footerpopup-ally.php:95

filterthe_contentpopup-ally.php:100

Maintenance & Trust

PopupAlly Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMay 22, 2025

PHP min version

Downloads373K

Community Trust

Rating82/100

Number of ratings76

Active installs3K

Alternatives

PopupAlly Alternatives

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

popup-maker

Want to boost sales & marketing efforts? Use your favorite forms & builder. Unlimited popups & impressions, keep your data, no monthly subscription.

700K 18 CVEs

Pop-up

pop-up-pop-up

Pop-up Popups

10K 2 CVEs

Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms

optinly

Capture more leads & increase conversions with Optinly. Use 75+ templates and advanced triggering options to create highly converting popup campaigns!

900 3 CVEs

SendPulse – Popup Builder for Email Optins, Lead Generation, Sticky Bars and Videos

sendpulse-popups

100

SendPulse Pop-ups plugin for WordPress. Create highly converting and mobile-friendly pop-ups, opt-in forms, exit popups, sticky bars, NPS surveys, etc

100 No CVEs

I Love PopUps Connector

i-love-popups-connector

100

Lightweight connector that loads the official I Love PopUps script on your site using your Project ID.

0 No CVEs

Developer Profile

PopupAlly Developer Profile

AccessAlly

3 plugins · 3K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

14 days

View full developer profile

Detection Fingerprints

How We Detect PopupAlly

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/popupally/resource/frontend/popup.min.js/wp-content/plugins/popupally/resource/backend/popupally.css/wp-content/plugins/popupally/resource/backend/js/popup-default-code.js/wp-content/plugins/popupally/resource/backend/js/popupally.min.js/wp-content/plugins/popupally/resource/backend/jscolor/jscolor.js

Script Paths

resource/frontend/popup.min.jsresource/backend/js/popup-default-code.jsresource/backend/js/popupally.min.jsresource/backend/jscolor/jscolor.js

Version Parameters

popupally/style.css?ver=popupally.min.js?ver=popup.min.js?ver=popupally.css?ver=popupally.js?ver=jscolor.js?ver=

HTML / DOM Fingerprints

CSS Classes

popupally-optin-formpopupally-wrapperpopupally-close-buttonpopupally-main-contentpopupally-image-wrapperpopupally-imagepopupally-text-wrapperpopupally-title+8 more

HTML Comments

+2 more

Data Attributes

data-popupally-iddata-popupally-settings

JS Globals

popupally_action_objectpopupally_data_object

REST Endpoints

/wp-json/popupally/v1/submit-optin

Shortcode Output

[popupally_embedded_form]

FAQ