Does Ultimate Popup Free have any unpatched vulnerabilities?

No. All known vulnerabilities in Ultimate Popup Free have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Ultimate Popup Free compatible with WordPress 4.3.34?

According to WordPress.org data, Ultimate Popup Free 1.0 has been tested up to WordPress 4.3.34. Check the plugin's changelog for the latest compatibility information.

How often is Ultimate Popup Free updated?

Ultimate Popup Free was last updated on Oct 3, 2015. Frequent updates are generally a positive security signal.

What is Ultimate Popup Free's security score?

Ultimate Popup Free has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Ultimate Popup Free Security & Risk Analysis

wordpress.org/plugins/ultimate-popup-free

Ultimate PopUp Free is an AWESOME PopUp plugin for your wordpress website.

100 active installs v1.0 PHP + WP 3.0.1+ Updated Oct 3, 2015

auto-popupautomatic-popupemail-marketingmailchimpnewsletter-subscribe

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Ultimate Popup Free Safe to Use in 2026?

Generally Safe

Score 85/100

Ultimate Popup Free has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago

Risk Assessment

The "ultimate-popup-free" v1.0 plugin exhibits a generally positive security posture with some notable areas for concern. It demonstrates good practices by utilizing prepared statements for all SQL queries, implementing a reasonable number of nonce and capability checks, and having no recorded historical vulnerabilities. The attack surface is minimal, with only one shortcode and no exposed AJAX handlers or REST API routes. However, the presence of the `unserialize` function without further context on its usage is a significant red flag. While taint analysis found no issues, this does not necessarily negate the risk if `unserialize` is used with user-supplied data. Additionally, a substantial percentage of output is not properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if the data being output is not inherently safe.

Given the clean vulnerability history, the plugin appears to have been developed with security in mind. The static analysis does highlight potential risks that could be exploited if the plugin evolves or if the `unserialize` function is misused. The lack of proper output escaping on over half of the identified output points is a recurring theme that needs attention to prevent potential XSS flaws. The overall security is decent, but the identified code signals warrant a cautious approach, particularly regarding the `unserialize` function and output escaping.

Key Concerns

Dangerous function: unserialize detected
Low percentage of properly escaped output

Vulnerabilities

None known

Ultimate Popup Free Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Ultimate Popup Free Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

31 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$datetime = unserialize( $args['value'] );inc\cmb2\includes\CMB2_Types.php:584

SQL Query Safety

100% prepared2 total queries

Output Escaping

36% escaped87 total outputs

Attack Surface

Ultimate Popup Free Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[ultimate_popup] ultimate-popup-free.php:374

WordPress Hooks 31

filterget_post_metadatainc\cmb2\includes\CMB2_Ajax.php:114

filterupdate_post_metadatainc\cmb2\includes\CMB2_Ajax.php:117

filtercmb2_show_oninc\cmb2\includes\CMB2_hookup.php:66

actionadd_meta_boxesinc\cmb2\includes\CMB2_hookup.php:79

actionadd_attachmentinc\cmb2\includes\CMB2_hookup.php:80

actionedit_attachmentinc\cmb2\includes\CMB2_hookup.php:81

actionsave_postinc\cmb2\includes\CMB2_hookup.php:82

actionadd_meta_boxes_commentinc\cmb2\includes\CMB2_hookup.php:87

actionedit_commentinc\cmb2\includes\CMB2_hookup.php:88

actionshow_user_profileinc\cmb2\includes\CMB2_hookup.php:113

actionedit_user_profileinc\cmb2\includes\CMB2_hookup.php:114

actionuser_new_forminc\cmb2\includes\CMB2_hookup.php:115

actionpersonal_options_updateinc\cmb2\includes\CMB2_hookup.php:117

actionedit_user_profile_updateinc\cmb2\includes\CMB2_hookup.php:118

actionuser_registerinc\cmb2\includes\CMB2_hookup.php:119

actioninitinc\cmb2\init.php:119

filtercmb2_meta_boxesinc\cmb2\ppm-side-popup-cpt-option.php:12

actionadmin_headinc\cmb2\ppm-side-popup-cpt-option.php:163

actionadmin_initinc\settings-api\ppm-popup-options.php:84

actionadmin_menuinc\settings-api\ppm-popup-options.php:87

actionadmin_initinc\settings-api\settings-api.php:16

actionadmin_menuinc\settings-api\settings-api.php:17

actioninitultimate-popup-free.php:15

actionwp_enqueue_scriptsultimate-popup-free.php:29

actioninitultimate-popup-free.php:37

actionwp_footerultimate-popup-free.php:87

actionwp_footerultimate-popup-free.php:97

actionwp_footerultimate-popup-free.php:107

filtermce_external_pluginsultimate-popup-free.php:382

filtermce_buttonsultimate-popup-free.php:383

actionadmin_headultimate-popup-free.php:386

Maintenance & Trust

Ultimate Popup Free Maintenance & Trust

Maintenance Signals

WordPress version tested4.3.34

Last updatedOct 3, 2015

PHP min version

Downloads17K

Community Trust

Rating92/100

Number of ratings8

Active installs100

Alternatives

Ultimate Popup Free Alternatives

Quform Mailchimp

quform-mailchimp

100

Easily add contacts to Mailchimp from Quform forms.

900 No CVEs

MailChimp Campaign Archive

mailchimp-campaign-archive

Adds a [mailchimp_campaigns] shortcode that lists your latest MailChimp email campaigns

200 No CVEs

McPopup – Popup Form for Mailchimp

mcpopup-popup-form-for-mailchimp

The easiest way to display Mailchimp Popup form on a WordPress site. Responsive Popup form, increase your subscribers on Mailchimp, and many features.

40 No CVEs

Email Marketing Services Integration

email-marketing-services-integration

Easy Wordpress integration with email marketing services.

20 No CVEs

Centous Integration For Contact Form 7 And Mailchimp

centous-integration-for-contact-form-7-and-mailchimp

100

Seamlessly integrate Mailchimp with Contact Form 7 to add subscribers directly from WordPress.

0 No CVEs

Developer Profile

Ultimate Popup Free Developer Profile

perfectpointmarketing

5 plugins · 710 total installs

trust score

Avg Security Score

88/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Ultimate Popup Free

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ultimate-popup-free/css/ppm-side-popup.css/wp-content/plugins/ultimate-popup-free/js/jquery.cookie.js/wp-content/plugins/ultimate-popup-free/js/jquery.easymodal.js/wp-content/plugins/ultimate-popup-free/js/ppm-side-popup.js

Script Paths

/wp-content/plugins/ultimate-popup-free/js/ppm-side-popup.js/wp-content/plugins/ultimate-popup-free/js/jquery.cookie.js/wp-content/plugins/ultimate-popup-free/js/jquery.easymodal.js

Version Parameters

ultimate-popup-free/css/ppm-side-popup.css?ver=ultimate-popup-free/js/ppm-side-popup.js?ver=ultimate-popup-free/js/jquery.cookie.js?ver=ultimate-popup-free/js/jquery.easymodal.js?ver=

HTML / DOM Fingerprints

CSS Classes

ppm-popup-content-global

Data Attributes

data-popup-namedata-popup-typedata-popup-urldata-popup-id

JS Globals

ppm_side_popup_free_global

FAQ