WP-Safety

Simple Popup Plugin Security & Risk Analysis

wordpress.org/plugins/simple-popup-plugin

This plugin makes it easy to create a simple, modifiable popup window.

1K active installs v4.6 PHP + WP 2.8+ Updated Oct 1, 2024
bandsmusicpopupsimpletools
69
C · Use Caution
CVEs total3
Unpatched1
Last CVENov 28, 2024
Plugin page Download
Safety Verdict

Is Simple Popup Plugin Safe to Use in 2026?

Use With Caution

Score 69/100

Simple Popup Plugin has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

3 known CVEs 1 unpatched Last CVE: Nov 28, 2024Updated 1yr ago
Risk Assessment

The "simple-popup-plugin" v4.6 presents a mixed security posture. While it demonstrates good practices by exclusively using prepared statements for SQL queries and avoiding file operations and external HTTP requests, significant concerns arise from other areas. The presence of two "unserialize" calls is a major red flag, as deserialization vulnerabilities can lead to remote code execution if not handled with extreme care and proper input validation. Furthermore, the code analysis indicates that only 58% of output is properly escaped, suggesting a potential for Cross-Site Scripting (XSS) vulnerabilities, which is corroborated by the plugin's vulnerability history.

The plugin's vulnerability history is a cause for concern, with three known CVEs, one of which remains unpatched. All historical vulnerabilities are medium severity and have been related to Cross-Site Scripting. This pattern indicates a recurring weakness in how the plugin handles user-supplied input and sanitizes output, despite some positive coding practices. The recent vulnerability in late 2024 further underscores the ongoing need for vigilance and patching.

In conclusion, while the plugin avoids common pitfalls like unprotected AJAX handlers, REST API routes, and raw SQL queries, the latent risk from "unserialize" usage combined with a history of XSS vulnerabilities and an unpatched CVE points to a moderate to high-risk plugin. Users should be cautious, especially with the unpatched vulnerability.

Key Concerns

  • Unpatched CVE found
  • Dangerous function: unserialize used
  • Low output escaping percentage
  • No nonce checks implemented
  • No capability checks implemented
Vulnerabilities
3

Simple Popup Plugin Security Vulnerabilities

CVEs by Year

3 CVEs in 2024 · unpatched
2024
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2024-53741medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Popup <= 4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 28, 2024Unpatched
CVE-2024-8547medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Popup Plugin <= 4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 27, 2024 Patched in 4.6 (7d)
CVE-2024-38689medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Popup <= 4.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jul 10, 2024 Patched in 4.5 (9d)
Code Analysis
Analyzed Mar 16, 2026

Simple Popup Plugin Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
16
22 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$urls = unserialize( $instance['urls'] );simple-popup-widget.php:22
unserialize$urls = ($instance['urls'] != '') ? unserialize( $instance['urls'] ) : array();simple-popup-widget.php:68

Output Escaping

58% escaped38 total outputs
Attack Surface

Simple Popup Plugin Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[popup] simple_popup_plugin.php:75
WordPress Hooks 3
actionwp_headsimple_popup_plugin.php:63
actionadmin_menusimple_popup_plugin.php:66
actionwidgets_initsimple_popup_plugin.php:77
Maintenance & Trust

Simple Popup Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedOct 1, 2024
PHP min version
Downloads126K

Community Trust

Rating98/100
Number of ratings12
Active installs1K
Alternatives

Simple Popup Plugin Alternatives

Alligator Menu Popup

Alligator Menu Popup

alligator-menu-popup

A
100

Add the 'mpopup' class to a menu item in a custom menu to open the target in a popup Window.

600 No CVEs
Simple Popup Block

Simple Popup Block

simple-popup-block

A
100

Easily manage and customize popups on your website with a user-friendly interface, enhancing engagement without sacrificing page speed.

500 No CVEs
Casper's Flyin' Call-to-Action

Casper's Flyin' Call-to-Action

caspers-fly-in-cta

A
85

A lightweight, highly customizable call-to-action plugin that makes it easy to get your visitors' attention.

200 No CVEs
Fastest Age Verification

Fastest Age Verification

fastest-age-verification

A
100

A non-blocking, fastest age verification popup for WordPress with customizable logo, button colors, and user-defined minimum age.

200 No CVEs
Magic Popups – Custom and Lightweight Popups

Magic Popups – Custom and Lightweight Popups

magic-popups-customizable-and-lightweight

A
85

Add lightweight and customizable popups to your WordPress site. You can choose to display your popups on specific pages. You can also display the popu &hellip;

100 No CVEs
Developer Profile

Simple Popup Plugin Developer Profile

Garrett Grimm

7 plugins · 111K total installs

68
trust score
Avg Security Score
84/100
Avg Patch Time
881 days
View full developer profile
Detection Fingerprints

How We Detect Simple Popup Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
simple_popup_link
HTML Comments
<!--Simple Popup Plugin v4.0 / RH Mods--><!--/Simple Popup Plugin-->
JS Globals
var swin=null;function popitup(mypage,w,h,pos,myname,infocus){
Shortcode Output
<a href="" onclick="return popitup(this.href, , );" class="simple_popup_link
FAQ

Frequently Asked Questions about Simple Popup Plugin