Does Themify Popup have any unpatched vulnerabilities?

No. All known vulnerabilities in Themify Popup have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Themify Popup compatible with WordPress 6.8.5?

According to WordPress.org data, Themify Popup 1.4.4 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Themify Popup compatible with PHP 7.2+?

Themify Popup requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Themify Popup updated?

Themify Popup was last updated on Aug 14, 2025. Frequent updates are generally a positive security signal.

What is Themify Popup's security score?

Themify Popup has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Themify Popup Security & Risk Analysis

wordpress.org/plugins/themify-popup

Turn visitors into subscribers and increase sale conversions! Use Popup to show newsletter forms, promotions, or lightbox content.

9K active installs v1.4.4 PHP 7.2+ WP 4.5+ Updated Aug 14, 2025

lightboxmarketingmodalnotificationpopup

A · Safe

CVEs total1

Unpatched0

Last CVESep 5, 2025

Plugin page Download

Safety Verdict

Is Themify Popup Safe to Use in 2026?

Generally Safe

Score 99/100

Themify Popup has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 5, 2025Updated 7mo ago

Risk Assessment

The themify-popup plugin v1.4.4 presents a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a substantial number of capability checks, there are notable areas of concern. The presence of two AJAX handlers without authentication checks significantly increases the attack surface. Additionally, the use of the `unserialize` function is a known dangerous pattern that can lead to remote code execution if untrusted data is passed to it. Taint analysis indicates no critical or high severity issues in the analyzed flows, which is a positive sign. However, the vulnerability history, specifically a medium severity Cross-site Scripting vulnerability reported in late 2025, suggests that the plugin has had past security flaws. While there are currently no unpatched CVEs, this history warrants caution and indicates a need for diligent security practices.

Overall, the plugin's reliance on prepared statements and a reasonable number of capability checks are strengths. However, the unprotected AJAX endpoints and the inherent risks associated with `unserialize` are significant weaknesses. The past medium severity XSS vulnerability, even if patched, suggests that diligent updating and monitoring for future patches are crucial for users of this plugin. The security of this plugin is moderate, with specific areas requiring attention from both developers and users.

Key Concerns

Unprotected AJAX handlers
Dangerous function: unserialize
Medium severity vulnerability history
Unsanitized paths in taint analysis
Output escaping not fully implemented

Vulnerabilities

Themify Popup Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-58787medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify Popup <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 5, 2025 Patched in 1.4.3 (21d)

Code Analysis

Analyzed Mar 16, 2026

Themify Popup Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

242 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$new_data = unserialize($fileContent, ['allowed_classes' => false]);includes\themify-metabox\includes\themify-metabox-core.php:562

unserialize$currentSwatches = unserialize( get_option( 'themify_saved_' . $type, serialize( array() ) ) );includes\themify-metabox\includes\themify-metabox-core.php:572

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared2 total queries

Output Escaping

79% escaped307 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

7 flows2 with unsanitized paths

themify_ajax_create_page_pagination (includes\themify-metabox\includes\themify-field-types.php:737)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Themify Popup Attack Surface

Entry Points7

Unprotected2

AJAX Handlers 6

authwp_ajax_themify_metabox_media_lib_browseincludes\themify-metabox\includes\themify-field-types.php:8

authwp_ajax_themify_pluploadincludes\themify-metabox\includes\themify-field-types.php:9

authwp_ajax_themify_create_inner_popup_pageincludes\themify-metabox\includes\themify-field-types.php:10

authwp_ajax_themify_create_popup_page_paginationincludes\themify-metabox\includes\themify-field-types.php:11

authwp_ajax_themify_import_colorsincludes\themify-metabox\includes\themify-metabox-core.php:33

authwp_ajax_themify_save_colorsincludes\themify-metabox\includes\themify-metabox-core.php:34

Shortcodes 1

[tf_popup] includes\system.php:17

WordPress Hooks 49

actioninitincludes\system.php:6

actioninitincludes\system.php:7

actionwp_loadedincludes\system.php:8

filterthemify_exclude_cpt_post_optionsincludes\system.php:10

filterthemify_do_metaboxesincludes\system.php:11

actionadmin_enqueue_scriptsincludes\system.php:12

filterwp_nav_menu_objectsincludes\system.php:14

filtertemplate_includeincludes\system.php:15

actiontemplate_redirectincludes\system.php:16

actionthemify_builder_active_enqueueincludes\system.php:20

actionwp_footerincludes\system.php:25

filterwp_editor_settingsincludes\system.php:35

filterthemify_builder_displayincludes\system.php:246

filterthemify_builder_row_classesincludes\system.php:249

filterthemify_metaboxesincludes\themify-metabox\example-functions.php:30

filterthemify_metabox/fields/tm-exampleincludes\themify-metabox\example-functions.php:229

filterthemify_metabox/user/fieldsincludes\themify-metabox\example-functions.php:259

filterthemify_metabox/taxonomy/category/fieldsincludes\themify-metabox\example-functions.php:280

actioninitincludes\themify-metabox\includes\themify-metabox-core.php:17

actionadmin_menuincludes\themify-metabox\includes\themify-metabox-core.php:27

actionpre_post_updateincludes\themify-metabox\includes\themify-metabox-core.php:28

actionsave_postincludes\themify-metabox\includes\themify-metabox-core.php:29

actionadmin_enqueue_scriptsincludes\themify-metabox\includes\themify-metabox-core.php:30

filteris_protected_metaincludes\themify-metabox\includes\themify-metabox-core.php:31

actionadmin_initincludes\themify-metabox\includes\themify-metabox-core.php:35

filtersave_postincludes\themify-metabox\includes\themify-metabox-core.php:40

actionadd_meta_boxesincludes\themify-metabox\includes\themify-metabox-core.php:44

actionadmin_headincludes\themify-metabox\includes\themify-metabox-core.php:45

actionadmin_enqueue_scriptsincludes\themify-metabox\includes\themify-metabox-core.php:46

actiontemplate_redirectincludes\themify-metabox\includes\themify-metabox-core.php:50

actionwp_before_admin_bar_renderincludes\themify-metabox\includes\themify-metabox-core.php:697

actionwp_enqueue_scriptsincludes\themify-metabox\includes\themify-metabox-core.php:698

filteruse_block_editor_for_postincludes\themify-metabox\includes\themify-metabox-core.php:728

filterscreen_options_show_screenincludes\themify-metabox\includes\themify-metabox-core.php:730

actioninitincludes\themify-metabox\includes\themify-metabox-core.php:772

actioninitincludes\themify-metabox\includes\themify-term-fields.php:22

actionadmin_enqueue_scriptsincludes\themify-metabox\includes\themify-term-fields.php:23

actioncreated_termincludes\themify-metabox\includes\themify-term-fields.php:35

actionedited_termincludes\themify-metabox\includes\themify-term-fields.php:36

actionshow_user_profileincludes\themify-metabox\includes\themify-user-fields.php:22

actionedit_user_profileincludes\themify-metabox\includes\themify-user-fields.php:23

actionadmin_enqueue_scriptsincludes\themify-metabox\includes\themify-user-fields.php:24

actionpersonal_options_updateincludes\themify-metabox\includes\themify-user-fields.php:25

actionedit_user_profile_updateincludes\themify-metabox\includes\themify-user-fields.php:26

actionafter_setup_themeincludes\themify-metabox\themify-metabox.php:35

filtermce_external_pluginsincludes\tinymce.php:6

filtermce_buttonsincludes\tinymce.php:7

actionafter_setup_themethemify-popup.php:41

filterplugin_row_metathemify-popup.php:50

Maintenance & Trust

Themify Popup Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedAug 14, 2025

PHP min version7.2

Downloads241K

Community Trust

Rating98/100

Number of ratings11

Active installs9K

Alternatives

Themify Popup Alternatives

Hello Popup

hello-popup

100

A lightweight and customizable popup plugin to engage visitors, highlight offers, and boost conversions with ease.

0 No CVEs

PopupNotifix

popupnotifix

100

A lightweight WordPress plugin to display customizable popup notifications.

0 No CVEs

Lightbox & Modal Popup WordPress Plugin – FooBox

foobox-image-lightbox

A responsive image lightbox for WordPress galleries, WordPress attachments & FooGallery

100K 5 CVEs

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

popup-anything-on-click

Create popup on a page load or Create popup by clicking link, image and button. Create popups, opt-in forms, & exit popups, floating bars and more!

30K 4 CVEs

Modal Window – create popup modal window

modal-window

WordPress popup plugin for easily creating a popup and modal window with any kind of content and settings.

10K 7 CVEs

Developer Profile

Themify Popup Developer Profile

themifyme

10 plugins · 140K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

145 days

View full developer profile

Detection Fingerprints

How We Detect Themify Popup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/themify-popup/assets/admin.js

Version Parameters

themify-popup/assets/admin.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-tf-popup-id

Shortcode Output

[tf_popup

FAQ

Themify Popup Security & Risk Analysis

Is Themify Popup Safe to Use in 2026?

Generally Safe

Key Concerns

Themify Popup Security Vulnerabilities

CVEs by Year

Severity Breakdown

Themify Popup Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Themify Popup Attack Surface

AJAX Handlers 6

Shortcodes 1

Themify Popup Maintenance & Trust

Maintenance Signals

Community Trust

Themify Popup Alternatives

Hello Popup

PopupNotifix

Lightbox & Modal Popup WordPress Plugin – FooBox

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

Modal Window – create popup modal window

Themify Popup Developer Profile

How We Detect Themify Popup

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Themify Popup