WP-Safety

Splash Popup for WooCommerce Security & Risk Analysis

wordpress.org/plugins/splash-popup-for-woocommerce

If you has some important content you’d like to share with your visitors, whether that’s a welcome message, links to your best posts or your most popu …

50 active installs v3.6.2.3 PHP 7.0+ WP 5.0+ Updated Mar 12, 2026
popuppromo-popupsale-popupsplash-popup-for-woocommercewoocommerce-popup
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Splash Popup for WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

Splash Popup for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 22d ago
Risk Assessment

The "splash-popup-for-woocommerce" plugin v3.6.2.3 exhibits a generally strong security posture with several commendable practices. Notably, all identified entry points (12 AJAX handlers) have security checks in place, and 100% of SQL queries utilize prepared statements, mitigating the risk of SQL injection. The presence of 14 nonce checks and 23 capability checks further strengthens its defenses against common WordPress attacks. However, the static analysis does reveal a significant concern: the use of the `unserialize()` function. This function is notoriously dangerous as it can lead to Remote Code Execution (RCE) if the serialized data it processes is attacker-controlled or tampered with. While no explicit taint flows involving `unserialize` were flagged as critical or high, the mere presence of this function without further context on how it's used represents a potential weakness.

Furthermore, the output escaping is only properly implemented in 39% of cases. This indicates a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, where malicious scripts could be injected into the site. The taint analysis, while showing no critical or high severity unsanitized paths, did flag one flow with an unsanitized path. Combined with the low output escaping percentage, this suggests a latent XSS risk that might not have been fully captured by the static analysis. The plugin's vulnerability history is clean, with zero known CVEs. This is a positive indicator, suggesting the developers have been diligent in the past. However, the current code signals present potential risks that could lead to future vulnerabilities.

Key Concerns

  • Use of unserialize() function
  • Low percentage of properly escaped output
  • Taint analysis: 1 unsanitized path flow
Vulnerabilities
None known

Splash Popup for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Splash Popup for WooCommerce Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
1 prepared
Unescaped Output
152
96 escaped
Nonce Checks
14
Capability Checks
23
File Operations
4
External Requests
5
Bundled Libraries
0

Dangerous Functions Found

unserialize$error_log = unserialize(preg_replace('/R:\d+/', 's:18:"RECURSION DETECTED"', serialize(self::$errorberocket\includes\updater.php:128

SQL Query Safety

100% prepared1 total queries

Output Escaping

39% escaped248 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

9 flows1 with unsanitized paths
<framework> (berocket\framework.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Splash Popup for WooCommerce Attack Surface

Entry Points12
Unprotected0

AJAX Handlers 12

authwp_ajax_brfr_get_export_settingsberocket\includes\admin\import_export.php:5
authwp_ajax_brfr_set_import_settingsberocket\includes\admin\import_export.php:6
authwp_ajax_brfr_get_import_backupsberocket\includes\admin\import_export.php:7
authwp_ajax_brfr_restore_import_backupsberocket\includes\admin\import_export.php:8
authwp_ajax_berocket_admin_close_noticeberocket\includes\admin_notices.php:1199
authwp_ajax_berocket_subscribe_emailberocket\includes\admin_notices.php:1200
authwp_ajax_berocket_rate_stars_closeberocket\includes\admin_notices.php:1208
authwp_ajax_berocket_feature_request_sendberocket\includes\admin_notices.php:1209
authwp_ajax_berocket_error_notices_getberocket\includes\error_notices.php:5
authwp_ajax_berocket_information_close_noticeberocket\includes\information_notices.php:198
authwp_ajax_br_test_keyberocket\includes\updater.php:46
authwp_ajax_br_test_keysberocket\includes\updater.php:47
WordPress Hooks 105
actionwp_headaddons\deprecated_old_popup\popup.php:23
actioninitaddons\deprecated_old_popup\popup.php:24
actionadmin_initaddons\deprecated_old_popup\popup.php:25
filterbrfr_splash_popup_popup_pagesaddons\deprecated_old_popup\popup.php:26
filterberocket_splash_popup_page_idaddons\deprecated_old_popup\popup.php:27
filterberocket_splash_popup_page_titleaddons\deprecated_old_popup\popup.php:28
actionsave_postaddons\deprecated_old_popup\popup.php:29
filterwp_headaddons\deprecated_old_popup\popup.php:30
filterberocket_splash_popup_pages_contentsaddons\deprecated_old_popup\popup.php:31
actionadd_meta_boxesaddons\deprecated_old_popup\popup.php:64
filterthe_contentaddons\deprecated_old_popup\popup.php:342
actionwp_footeraddons\deprecated_old_popup\popup.php:382
filterplugins_listberocket\framework.php:84
filterBeRocket_updater_add_pluginberocket\framework.php:105
filterberocket_admin_notices_rate_stars_pluginsberocket\framework.php:106
actioninitberocket\framework.php:107
actioninitberocket\framework.php:110
actionwp_headberocket\framework.php:111
actionwp_footerberocket\framework.php:112
actionadmin_initberocket\framework.php:113
actionadmin_menuberocket\framework.php:114
actionadmin_enqueue_scriptsberocket\framework.php:115
actionberocket_enqueue_mediaberocket\framework.php:116
filterplugin_row_metaberocket\framework.php:122
filteris_berocket_settings_pageberocket\framework.php:123
actionplugins_loadedberocket\framework.php:128
actionsanitize_comment_cookiesberocket\framework.php:129
actioninstall_plugins_pre_plugin-informationberocket\framework.php:130
filterberocket_admin_notices_subscribe_pluginsberocket\framework.php:132
filterBeRocket_admin_init_user_capabilitiesberocket\framework.php:135
filterberocket_sanitize_array_predefineberocket\framework.php:136
filterberocket_sanitize_array_ksesberocket\framework.php:137
filterberocket_sanitize_array_ksesberocket\framework.php:140
actionbefore_woocommerce_initberocket\framework.php:150
filterloop_shop_per_pageberocket\framework.php:391
actionupgrader_process_completeberocket\framework.php:499
actionadmin_footerberocket\framework.php:1158
actionwp_footerberocket\framework.php:1159
actionadmin_initberocket\framework.php:1273
actionadmin_bar_menuberocket\includes\admin\admin_bar.php:8
actionwp_footerberocket\includes\admin\admin_bar.php:9
filterberocket_admin_bar_plugins_databerocket\includes\admin\admin_bar.php:149
actionBeRocket_framework_updater_account_form_afterberocket\includes\admin\import_export.php:4
filterberocket_admin_notice_is_display_noticeberocket\includes\admin_notices.php:75
filterberocket_admin_notice_is_display_notice_priorityberocket\includes\admin_notices.php:76
actionadmin_noticesberocket\includes\admin_notices.php:1198
actionadmin_noticesberocket\includes\admin_notices.php:1207
actionberocket_rate_plugin_windowberocket\includes\admin_notices.php:1210
actionberocket_related_plugins_windowberocket\includes\admin_notices.php:1211
actionberocket_above_admin_settingsberocket\includes\admin_notices.php:1212
actionberocket_feature_request_windowberocket\includes\admin_notices.php:1213
actionadmin_footerberocket\includes\admin_notices.php:1285
actionadmin_footerberocket\includes\admin_notices.php:1493
actionadmin_footerberocket\includes\admin_notices.php:1922
actionadmin_footerberocket\includes\admin_notices.php:2079
actioninitberocket\includes\custom_post\enable_disable.php:9
actionadmin_initberocket\includes\custom_post\enable_disable.php:10
actionpost_action_enableberocket\includes\custom_post\enable_disable.php:13
actionpost_action_disableberocket\includes\custom_post\enable_disable.php:14
filterpost_classberocket\includes\custom_post\enable_disable.php:16
filterpre_get_postsberocket\includes\custom_post\enable_disable.php:18
actionpre_get_postsberocket\includes\custom_post\sortable.php:22
actionin_admin_footerberocket\includes\custom_post\sortable.php:117
actioninitberocket\includes\custom_post.php:58
filterinitberocket\includes\custom_post.php:59
filteradmin_initberocket\includes\custom_post.php:60
filterwp_insert_post_databerocket\includes\custom_post.php:61
filterBeRocket_admin_init_user_capabilitiesberocket\includes\custom_post.php:71
actionadd_meta_boxesberocket\includes\custom_post.php:128
actionsave_postberocket\includes\custom_post.php:129
filterpost_row_actionsberocket\includes\custom_post.php:130
filterlist_table_primary_columnberocket\includes\custom_post.php:131
actionadmin_enqueue_scriptsberocket\includes\custom_post.php:133
filteris_berocket_settings_pageberocket\includes\custom_post.php:135
actionadmin_footerberocket\includes\custom_post.php:162
actionadmin_noticesberocket\includes\information_notices.php:197
actionadmin_initberocket\includes\updater.php:18
filterwoocommerce_addons_sectionsberocket\includes\updater.php:27
filteris_berocket_settings_pageberocket\includes\updater.php:28
actionadmin_footerberocket\includes\updater.php:30
actionadmin_headberocket\includes\updater.php:39
actionadmin_menuberocket\includes\updater.php:40
actionadmin_menuberocket\includes\updater.php:41
actionnetwork_admin_menuberocket\includes\updater.php:42
actionadmin_initberocket\includes\updater.php:43
filterpre_set_site_transient_update_pluginsberocket\includes\updater.php:44
filterplugins_api_resultberocket\includes\updater.php:45
filterhttp_request_host_is_externalberocket\includes\updater.php:48
actionadmin_footerberocket\includes\updater.php:51
actionwp_footerberocket\includes\updater.php:52
filterberocket_display_additional_noticesberocket\includes\updater.php:92
filtercustom_menu_orderberocket\includes\updater.php:98
filterberocket_admin_notice_is_display_noticeberocket\includes\updater.php:102
filterberocket_admin_notice_is_display_notice_priorityberocket\includes\updater.php:103
filterplugins_api_resultberocket\includes\updater.php:109
actioninitberocket\includes\updater.php:1413
actionadmin_enqueue_scriptsberocket\sale\sale.php:4
actionwp_loginmain.php:112
actionwp_logoutmain.php:113
actionwp_footermain.php:116
filterBeRocket_updater_menu_order_custom_postmain.php:118
filterberocket_splash_popup_pages_contentsmain.php:119
filterthe_contentmain.php:120
actionwp_footermain.php:121
filterBeRocket_updater_error_logmain.php:125
Maintenance & Trust

Splash Popup for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.0
Downloads14K

Community Trust

Rating76/100
Number of ratings4
Active installs50
Alternatives

Splash Popup for WooCommerce Alternatives

Brave Popup Builder – Popup, Optins, Lead Generation, Survey & Interactive Content

Brave Popup Builder – Popup, Optins, Lead Generation, Survey & Interactive Content

brave-popup-builder

A
92

The best drag-and-drop Popup Builder for WordPress. Create Popups, exit-intent popups, slide-ins, and lead generation forms & Woocommerce popups i &hellip;

20K 5 CVEs
Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales

Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales

poptics

A
99

Create high-converting popups, email opt-ins, exit-intent popups & WooCommerce popups to boost leads, subscribers and sales.

2K 1 CVE
Quick View for WooCommerce

Quick View for WooCommerce

woo-quickview

A
98

Add a quick view button in the product loop so visitors can quickly view product information in a nice modal without opening the product page.

2K 2 CVEs
YITH WooCommerce Popup

YITH WooCommerce Popup

yith-woocommerce-popup

A
97

Create and customize your popup windows using templates carefully designed by YITH.

2K 2 CVEs
Leo Product Recommendations for WooCommerce

Leo Product Recommendations for WooCommerce

leo-product-recommendations

A
100

Boost WooCommerce sales with smart product recommendation popups on add to cart.

500 No CVEs
Developer Profile

Splash Popup for WooCommerce Developer Profile

BeRocket

22 plugins · 139K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
381 days
View full developer profile
Detection Fingerprints

How We Detect Splash Popup for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/splash-popup-for-woocommerce/js/public.min.js/wp-content/plugins/splash-popup-for-woocommerce/css/public.min.css/wp-content/plugins/splash-popup-for-woocommerce/addons/deprecated_old_popup/css/popup.css
Script Paths
/wp-content/plugins/splash-popup-for-woocommerce/js/public.min.js/wp-content/plugins/splash-popup-for-woocommerce/addons/deprecated_old_popup/css/popup.css
Version Parameters
splash-popup-for-woocommerce/js/public.min.js?ver=splash-popup-for-woocommerce/css/public.min.css?ver=splash-popup-for-woocommerce/addons/deprecated_old_popup/css/popup.css?ver=

HTML / DOM Fingerprints

CSS Classes
br_splash_popup_containerbr_splash_popup_titlebr_splash_popup_contentbr_splash_popup_buttonbr_splash_popup_close_button
HTML Comments
<!-- Splash popup settings --><!-- End Splash popup settings --><!-- BeRocket Splash Popup Start --><!-- BeRocket Splash Popup End -->
Data Attributes
data-br-splash-popup-iddata-br-splash-popup-animationdata-br-splash-popup-close-btndata-br-splash-popup-close-timedata-br-splash-popup-delaydata-br-splash-popup-height+1 more
JS Globals
BeRocket_splash_popup
Shortcode Output
[splash_popup][splash_popup_image][splash_popup_html]
FAQ

Frequently Asked Questions about Splash Popup for WooCommerce