WP-Safety

Splash Popup for WooCommerce Security & Risk Analysis

wordpress.org/plugins/splash-popup-for-woocommerce

If you want to show welcome messages, links, or promos, Splash Popup for WooCommerce is a simple way to boost engagement.

40 active installs v3.6.2.5 PHP 7.0+ WP 5.0+ Updated Apr 15, 2026
marketingmodalpopuppromotionwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Splash Popup for WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

Splash Popup for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "splash-popup-for-woocommerce" plugin v3.6.2.3 exhibits a generally strong security posture with several commendable practices. Notably, all identified entry points (12 AJAX handlers) have security checks in place, and 100% of SQL queries utilize prepared statements, mitigating the risk of SQL injection. The presence of 14 nonce checks and 23 capability checks further strengthens its defenses against common WordPress attacks. However, the static analysis does reveal a significant concern: the use of the `unserialize()` function. This function is notoriously dangerous as it can lead to Remote Code Execution (RCE) if the serialized data it processes is attacker-controlled or tampered with. While no explicit taint flows involving `unserialize` were flagged as critical or high, the mere presence of this function without further context on how it's used represents a potential weakness.

Furthermore, the output escaping is only properly implemented in 39% of cases. This indicates a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, where malicious scripts could be injected into the site. The taint analysis, while showing no critical or high severity unsanitized paths, did flag one flow with an unsanitized path. Combined with the low output escaping percentage, this suggests a latent XSS risk that might not have been fully captured by the static analysis. The plugin's vulnerability history is clean, with zero known CVEs. This is a positive indicator, suggesting the developers have been diligent in the past. However, the current code signals present potential risks that could lead to future vulnerabilities.

Key Concerns

  • Use of unserialize() function
  • Low percentage of properly escaped output
  • Taint analysis: 1 unsanitized path flow
Vulnerabilities
None known

Splash Popup for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Splash Popup for WooCommerce Release Timeline

v3.6.2.5Current
v3.6.2.4
v3.6.2.3
v3.6.2.2
v3.6.2.1
v3.6.1
v3.6
v3.5.9
v3.5.8
v3.5.7.9
v3.5.7.8
v3.5.7.7
v3.5.7.6
v3.5.7.5
v3.5.7.4
v3.5.7.3
v3.5.7.2
v3.5.7.1
v3.5.7
v3.5.6
Code Analysis
Analyzed Mar 16, 2026

Splash Popup for WooCommerce Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
1 prepared
Unescaped Output
152
96 escaped
Nonce Checks
14
Capability Checks
23
File Operations
4
External Requests
5
Bundled Libraries
0

Dangerous Functions Found

unserialize$error_log = unserialize(preg_replace('/R:\d+/', 's:18:"RECURSION DETECTED"', serialize(self::$errorberocket\includes\updater.php:128

SQL Query Safety

100% prepared1 total queries

Output Escaping

39% escaped248 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

9 flows1 with unsanitized paths
<framework> (berocket\framework.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Splash Popup for WooCommerce Attack Surface

Entry Points12
Unprotected0

AJAX Handlers 12

authwp_ajax_brfr_get_export_settingsberocket\includes\admin\import_export.php:5
authwp_ajax_brfr_set_import_settingsberocket\includes\admin\import_export.php:6
authwp_ajax_brfr_get_import_backupsberocket\includes\admin\import_export.php:7
authwp_ajax_brfr_restore_import_backupsberocket\includes\admin\import_export.php:8
authwp_ajax_berocket_admin_close_noticeberocket\includes\admin_notices.php:1199
authwp_ajax_berocket_subscribe_emailberocket\includes\admin_notices.php:1200
authwp_ajax_berocket_rate_stars_closeberocket\includes\admin_notices.php:1208
authwp_ajax_berocket_feature_request_sendberocket\includes\admin_notices.php:1209
authwp_ajax_berocket_error_notices_getberocket\includes\error_notices.php:5
authwp_ajax_berocket_information_close_noticeberocket\includes\information_notices.php:198
authwp_ajax_br_test_keyberocket\includes\updater.php:46
authwp_ajax_br_test_keysberocket\includes\updater.php:47
WordPress Hooks 105
actionwp_headaddons\deprecated_old_popup\popup.php:23
actioninitaddons\deprecated_old_popup\popup.php:24
actionadmin_initaddons\deprecated_old_popup\popup.php:25
filterbrfr_splash_popup_popup_pagesaddons\deprecated_old_popup\popup.php:26
filterberocket_splash_popup_page_idaddons\deprecated_old_popup\popup.php:27
filterberocket_splash_popup_page_titleaddons\deprecated_old_popup\popup.php:28
actionsave_postaddons\deprecated_old_popup\popup.php:29
filterwp_headaddons\deprecated_old_popup\popup.php:30
filterberocket_splash_popup_pages_contentsaddons\deprecated_old_popup\popup.php:31
actionadd_meta_boxesaddons\deprecated_old_popup\popup.php:64
filterthe_contentaddons\deprecated_old_popup\popup.php:342
actionwp_footeraddons\deprecated_old_popup\popup.php:382
filterplugins_listberocket\framework.php:84
filterBeRocket_updater_add_pluginberocket\framework.php:105
filterberocket_admin_notices_rate_stars_pluginsberocket\framework.php:106
actioninitberocket\framework.php:107
actioninitberocket\framework.php:110
actionwp_headberocket\framework.php:111
actionwp_footerberocket\framework.php:112
actionadmin_initberocket\framework.php:113
actionadmin_menuberocket\framework.php:114
actionadmin_enqueue_scriptsberocket\framework.php:115
actionberocket_enqueue_mediaberocket\framework.php:116
filterplugin_row_metaberocket\framework.php:122
filteris_berocket_settings_pageberocket\framework.php:123
actionplugins_loadedberocket\framework.php:128
actionsanitize_comment_cookiesberocket\framework.php:129
actioninstall_plugins_pre_plugin-informationberocket\framework.php:130
filterberocket_admin_notices_subscribe_pluginsberocket\framework.php:132
filterBeRocket_admin_init_user_capabilitiesberocket\framework.php:135
filterberocket_sanitize_array_predefineberocket\framework.php:136
filterberocket_sanitize_array_ksesberocket\framework.php:137
filterberocket_sanitize_array_ksesberocket\framework.php:140
actionbefore_woocommerce_initberocket\framework.php:150
filterloop_shop_per_pageberocket\framework.php:391
actionupgrader_process_completeberocket\framework.php:499
actionadmin_footerberocket\framework.php:1158
actionwp_footerberocket\framework.php:1159
actionadmin_initberocket\framework.php:1273
actionadmin_bar_menuberocket\includes\admin\admin_bar.php:8
actionwp_footerberocket\includes\admin\admin_bar.php:9
filterberocket_admin_bar_plugins_databerocket\includes\admin\admin_bar.php:149
actionBeRocket_framework_updater_account_form_afterberocket\includes\admin\import_export.php:4
filterberocket_admin_notice_is_display_noticeberocket\includes\admin_notices.php:75
filterberocket_admin_notice_is_display_notice_priorityberocket\includes\admin_notices.php:76
actionadmin_noticesberocket\includes\admin_notices.php:1198
actionadmin_noticesberocket\includes\admin_notices.php:1207
actionberocket_rate_plugin_windowberocket\includes\admin_notices.php:1210
actionberocket_related_plugins_windowberocket\includes\admin_notices.php:1211
actionberocket_above_admin_settingsberocket\includes\admin_notices.php:1212
actionberocket_feature_request_windowberocket\includes\admin_notices.php:1213
actionadmin_footerberocket\includes\admin_notices.php:1285
actionadmin_footerberocket\includes\admin_notices.php:1493
actionadmin_footerberocket\includes\admin_notices.php:1922
actionadmin_footerberocket\includes\admin_notices.php:2079
actioninitberocket\includes\custom_post\enable_disable.php:9
actionadmin_initberocket\includes\custom_post\enable_disable.php:10
actionpost_action_enableberocket\includes\custom_post\enable_disable.php:13
actionpost_action_disableberocket\includes\custom_post\enable_disable.php:14
filterpost_classberocket\includes\custom_post\enable_disable.php:16
filterpre_get_postsberocket\includes\custom_post\enable_disable.php:18
actionpre_get_postsberocket\includes\custom_post\sortable.php:22
actionin_admin_footerberocket\includes\custom_post\sortable.php:117
actioninitberocket\includes\custom_post.php:58
filterinitberocket\includes\custom_post.php:59
filteradmin_initberocket\includes\custom_post.php:60
filterwp_insert_post_databerocket\includes\custom_post.php:61
filterBeRocket_admin_init_user_capabilitiesberocket\includes\custom_post.php:71
actionadd_meta_boxesberocket\includes\custom_post.php:128
actionsave_postberocket\includes\custom_post.php:129
filterpost_row_actionsberocket\includes\custom_post.php:130
filterlist_table_primary_columnberocket\includes\custom_post.php:131
actionadmin_enqueue_scriptsberocket\includes\custom_post.php:133
filteris_berocket_settings_pageberocket\includes\custom_post.php:135
actionadmin_footerberocket\includes\custom_post.php:162
actionadmin_noticesberocket\includes\information_notices.php:197
actionadmin_initberocket\includes\updater.php:18
filterwoocommerce_addons_sectionsberocket\includes\updater.php:27
filteris_berocket_settings_pageberocket\includes\updater.php:28
actionadmin_footerberocket\includes\updater.php:30
actionadmin_headberocket\includes\updater.php:39
actionadmin_menuberocket\includes\updater.php:40
actionadmin_menuberocket\includes\updater.php:41
actionnetwork_admin_menuberocket\includes\updater.php:42
actionadmin_initberocket\includes\updater.php:43
filterpre_set_site_transient_update_pluginsberocket\includes\updater.php:44
filterplugins_api_resultberocket\includes\updater.php:45
filterhttp_request_host_is_externalberocket\includes\updater.php:48
actionadmin_footerberocket\includes\updater.php:51
actionwp_footerberocket\includes\updater.php:52
filterberocket_display_additional_noticesberocket\includes\updater.php:92
filtercustom_menu_orderberocket\includes\updater.php:98
filterberocket_admin_notice_is_display_noticeberocket\includes\updater.php:102
filterberocket_admin_notice_is_display_notice_priorityberocket\includes\updater.php:103
filterplugins_api_resultberocket\includes\updater.php:109
actioninitberocket\includes\updater.php:1413
actionadmin_enqueue_scriptsberocket\sale\sale.php:4
actionwp_loginmain.php:112
actionwp_logoutmain.php:113
actionwp_footermain.php:116
filterBeRocket_updater_menu_order_custom_postmain.php:118
filterberocket_splash_popup_pages_contentsmain.php:119
filterthe_contentmain.php:120
actionwp_footermain.php:121
filterBeRocket_updater_error_logmain.php:125
Maintenance & Trust

Splash Popup for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 15, 2026
PHP min version7.0
Downloads14K

Community Trust

Rating76/100
Number of ratings4
Active installs40
Alternatives

Splash Popup for WooCommerce Alternatives

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

popup-anything-on-click

A
99

Create popup on a page load or Create popup by clicking link, image and button. Create popups, opt-in forms, & exit popups, floating bars and more!

30K 4 CVEs
WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer

WebToffee eCommerce Marketing Automation – Email marketing, Popups, Email customizer

decorator-woocommerce-email-customizer

A
98

Create and send marketing emails and campaigns. Enable email automations, Popups, spin-a-wheel, sign-up forms, and more. Customize WooCommerce emails.

10K 2 CVEs
Themify Popup

Themify Popup

themify-popup

A
99

Turn visitors into subscribers and increase sale conversions! Use Popup to show newsletter forms, promotions, or lightbox content.

8K 1 CVE
Hello Bar Popup Builder: Design Engaging Popups on WordPress

Hello Bar Popup Builder: Design Engaging Popups on WordPress

hellobar

B
78

Easily add a Popup to your WordPress site with the official HelloBar WordPress plugin.

3K 1 unpatched
Popups for WooCommerce: Add to Cart, Checkout & More

Popups for WooCommerce: Add to Cart, Checkout & More

popup-notices-for-woocommerce

A
100

Make your WooCommerce Notices (sucess, info, and error) more visible to your customers by turning them into popups

2K No CVEs
Developer Profile

Splash Popup for WooCommerce Developer Profile

BeRocket

23 plugins · 139K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
384 days
View full developer profile
Detection Fingerprints

How We Detect Splash Popup for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/splash-popup-for-woocommerce/js/public.min.js/wp-content/plugins/splash-popup-for-woocommerce/css/public.min.css/wp-content/plugins/splash-popup-for-woocommerce/addons/deprecated_old_popup/css/popup.css
Script Paths
/wp-content/plugins/splash-popup-for-woocommerce/js/public.min.js/wp-content/plugins/splash-popup-for-woocommerce/addons/deprecated_old_popup/css/popup.css
Version Parameters
splash-popup-for-woocommerce/js/public.min.js?ver=splash-popup-for-woocommerce/css/public.min.css?ver=splash-popup-for-woocommerce/addons/deprecated_old_popup/css/popup.css?ver=

HTML / DOM Fingerprints

CSS Classes
br_splash_popup_containerbr_splash_popup_titlebr_splash_popup_contentbr_splash_popup_buttonbr_splash_popup_close_button
HTML Comments
<!-- Splash popup settings --><!-- End Splash popup settings --><!-- BeRocket Splash Popup Start --><!-- BeRocket Splash Popup End -->
Data Attributes
data-br-splash-popup-iddata-br-splash-popup-animationdata-br-splash-popup-close-btndata-br-splash-popup-close-timedata-br-splash-popup-delaydata-br-splash-popup-height+1 more
JS Globals
BeRocket_splash_popup
Shortcode Output
[splash_popup][splash_popup_image][splash_popup_html]
FAQ

Frequently Asked Questions about Splash Popup for WooCommerce