Pretty Simple Popup Builder Security & Risk Analysis

The "pretty-simple-popup-builder" plugin version 2.0.2 exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a relatively high rate of output escaping (67%), several significant concerns exist. The plugin has two AJAX handlers, both of which lack authentication checks, creating a substantial attack surface for unauthorized actions. The vulnerability history reveals two previously disclosed medium-severity Cross-Site Scripting (XSS) vulnerabilities, with the most recent occurring in 2025. Although currently unpatched CVEs are zero, the recurring nature of XSS issues and the presence of unprotected AJAX endpoints are concerning.

Despite the lack of critical or high-severity taint analysis findings and the absence of raw SQL queries, the unprotected AJAX endpoints present a direct path for attackers to potentially exploit functionalities if they are not properly secured on the server-side. The 2025 vulnerability date is also unusual and warrants further investigation to confirm its validity or if it refers to a future disclosure.

In conclusion, the plugin has strengths in its SQL handling and output escaping efforts. However, the lack of authentication on its AJAX entry points and the history of XSS vulnerabilities significantly detract from its overall security. Organizations using this plugin should be cautious and prioritize securing these unprotected AJAX handlers. The bundled Freemius library version 1.0 is also worth noting as a potential outdated component if it's not actively maintained and patched.