Does WP Popup have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Popup have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Popup compatible with WordPress 6.9.4?

According to WordPress.org data, WP Popup 1.2.7 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WP Popup updated?

WP Popup was last updated on Dec 3, 2025. Frequent updates are generally a positive security signal.

What is WP Popup's security score?

WP Popup has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Popup Security & Risk Analysis

wordpress.org/plugins/wp-pop-up

Looking for a new way to entice your site visitors? WP Popup is the lightbox/popup plugin built with performance in mind.

900 active installs v1.2.7 PHP + WP 4.3+ Updated Dec 3, 2025

lightboxmodal-windowpopup

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is WP Popup Safe to Use in 2026?

Generally Safe

Score 100/100

WP Popup has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago

Risk Assessment

The "wp-pop-up" plugin v1.2.7 exhibits a generally strong security posture based on the provided static analysis. The plugin demonstrates good practices with a complete absence of known CVEs, indicating a history of responsible development and patching. Furthermore, the static analysis shows no critical or high severity taint flows, no dangerous functions, and no file operations, all of which are positive signs. The presence of nonce checks and capability checks on its entry points, coupled with the complete lack of unprotected AJAX handlers, REST API routes, shortcodes, or cron events, significantly reduces the attack surface and the likelihood of common web vulnerabilities.

However, there are areas for improvement. While 50% of SQL queries are prepared, the remaining 50% are not, posing a potential risk of SQL injection if the data used in these queries is not properly sanitized. Additionally, 30% of output is not properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities. The absence of any taint analysis flows analyzed is noted, which might suggest limited scope or coverage in the analysis, though it also aligns with the lack of detected critical issues. Overall, the plugin is relatively secure but could benefit from addressing the unescaped output and non-prepared SQL queries to achieve a more robust security profile.

Key Concerns

SQL queries not using prepared statements
Output escaping not properly implemented

Vulnerabilities

None known

WP Popup Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WP Popup Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

140 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

50% prepared2 total queries

Output Escaping

70% escaped201 total outputs

Attack Surface

WP Popup Attack Surface

Entry Points3

Unprotected0

AJAX Handlers 3

authwp_ajax_cmb2_oembed_handlerincludes\CMB2\includes\CMB2_Ajax.php:51

noprivwp_ajax_cmb2_oembed_handlerincludes\CMB2\includes\CMB2_Ajax.php:52

authwp_ajax_cmb_post_search_ajax_get_resultsincludes\cmb2-field-post-search-ajax\cmb-field-post-search-ajax.php:36

WordPress Hooks 89

actioncmb2_admin_initclasses\class-wp-popup-admin-fields.php:96

actionadmin_enqueue_scriptsclasses\class-wp-popup-admin-fields.php:97

actioncmb2_render_single_dimension_and_unitclasses\class-wp-popup-custom-fields.php:33

filtercmb2_sanitize_single_dimension_and_unitclasses\class-wp-popup-custom-fields.php:34

filtercmb2_after_formclasses\class-wp-popup-custom-fields.php:35

actioncmb2_render_range_sliderclasses\class-wp-popup-custom-fields.php:36

filtercmb2_after_formclasses\class-wp-popup-custom-fields.php:37

actioninitclasses\class-wp-popup.php:157

actionmanage_wp_popup_posts_custom_columnclasses\class-wp-popup.php:159

filtermanage_wp_popup_posts_columnsclasses\class-wp-popup.php:160

actionwpclasses\class-wp-popup.php:162

actionwpclasses\class-wp-popup.php:163

actionwpclasses\class-wp-popup.php:164

actionwpclasses\class-wp-popup.php:165

actionwp_footerclasses\class-wp-popup.php:167

actionwp_enqueue_scriptsclasses\class-wp-popup.php:168

actionadmin_enqueue_scriptsclasses\class-wp-popup.php:169

actionadmin_noticesclasses\class-wp-popup.php:170

actionpost_updated_messagesclasses\class-wp-popup.php:171

actionadmin_enqueue_scriptsclasses\class-wp-popup.php:172

filterfl_builder_post_typesclasses\class-wp-popup.php:173

actionpre_get_postsclasses\class-wp-popup.php:174

filterthe_contentclasses\class-wp-popup.php:175

actionenqueue_block_editor_assetsclasses\class-wp-popup.php:176

filterwp_popup_contentclasses\class-wp-popup.php:181

filterwp_popup_contentclasses\class-wp-popup.php:182

filterwp_popup_contentclasses\class-wp-popup.php:183

filterwp_popup_contentclasses\class-wp-popup.php:184

filterwp_popup_contentclasses\class-wp-popup.php:185

filterwp_popup_contentclasses\class-wp-popup.php:186

filterwp_popup_contentclasses\class-wp-popup.php:187

filterwp_popup_contentclasses\class-wp-popup.php:188

filterwp_popup_contentclasses\class-wp-popup.php:189

filterwp_popup_contentclasses\class-wp-popup.php:190

filterwp_popup_contentclasses\class-wp-popup.php:191

filterwp_popup_contentclasses\class-wp-popup.php:192

filterfl_builder_content_classesclasses\class-wp-popup.php:854

filterthe_contentclasses\class-wp-popup.php:890

filterwp_popup_contentclasses\class-wp-popup.php:892

actioncmb2_admin_initincludes\CMB2\example-functions.php:105

actioncmb2_admin_initincludes\CMB2\example-functions.php:470

actioncmb2_admin_initincludes\CMB2\example-functions.php:500

actioncmb2_admin_initincludes\CMB2\example-functions.php:564

actioncmb2_admin_initincludes\CMB2\example-functions.php:633

actioncmb2_admin_initincludes\CMB2\example-functions.php:674

actioncmb2_initincludes\CMB2\example-functions.php:777

filterwp_prepare_attachment_for_jsincludes\CMB2\includes\CMB2.php:1558

actionadmin_enqueue_scriptsincludes\CMB2\includes\CMB2.php:1576

actioncmb2_save_options-page_fieldsincludes\CMB2\includes\CMB2_Ajax.php:54

filterget_post_metadataincludes\CMB2\includes\CMB2_Ajax.php:147

filterupdate_post_metadataincludes\CMB2\includes\CMB2_Ajax.php:150

filtercmb2_show_onincludes\CMB2\includes\CMB2_Hookup.php:79

actionedit_form_topincludes\CMB2\includes\CMB2_Hookup.php:115

actionedit_form_before_permalinkincludes\CMB2\includes\CMB2_Hookup.php:119

actionedit_form_after_titleincludes\CMB2\includes\CMB2_Hookup.php:123

actionedit_form_after_editorincludes\CMB2\includes\CMB2_Hookup.php:127

actionadd_meta_boxesincludes\CMB2\includes\CMB2_Hookup.php:131

actionadd_meta_boxesincludes\CMB2\includes\CMB2_Hookup.php:134

actionadd_attachmentincludes\CMB2\includes\CMB2_Hookup.php:135

actionedit_attachmentincludes\CMB2\includes\CMB2_Hookup.php:136

actionsave_postincludes\CMB2\includes\CMB2_Hookup.php:137

actionpre_get_postsincludes\CMB2\includes\CMB2_Hookup.php:144

actionadd_meta_boxes_commentincludes\CMB2\includes\CMB2_Hookup.php:152

actionedit_commentincludes\CMB2\includes\CMB2_Hookup.php:153

filtermanage_edit-comments_columnsincludes\CMB2\includes\CMB2_Hookup.php:156

actionmanage_comments_custom_columnincludes\CMB2\includes\CMB2_Hookup.php:157

filtermanage_edit-comments_sortable_columnsincludes\CMB2\includes\CMB2_Hookup.php:158

actionpre_get_postsincludes\CMB2\includes\CMB2_Hookup.php:159

actionshow_user_profileincludes\CMB2\includes\CMB2_Hookup.php:168

actionedit_user_profileincludes\CMB2\includes\CMB2_Hookup.php:169

actionuser_new_formincludes\CMB2\includes\CMB2_Hookup.php:170

actionpersonal_options_updateincludes\CMB2\includes\CMB2_Hookup.php:172

actionedit_user_profile_updateincludes\CMB2\includes\CMB2_Hookup.php:173

actionuser_registerincludes\CMB2\includes\CMB2_Hookup.php:174

filtermanage_users_columnsincludes\CMB2\includes\CMB2_Hookup.php:177

filtermanage_users_custom_columnincludes\CMB2\includes\CMB2_Hookup.php:178

filtermanage_users_sortable_columnsincludes\CMB2\includes\CMB2_Hookup.php:179

actionpre_get_postsincludes\CMB2\includes\CMB2_Hookup.php:180

actionpre_get_postsincludes\CMB2\includes\CMB2_Hookup.php:226

actioncreated_termincludes\CMB2\includes\CMB2_Hookup.php:230

actionedited_termsincludes\CMB2\includes\CMB2_Hookup.php:231

actiondelete_termincludes\CMB2\includes\CMB2_Hookup.php:232

actioncmb2_do_oembedincludes\CMB2\includes\helper-functions.php:131

filteris_protected_metaincludes\CMB2\includes\rest-api\CMB2_REST.php:144

actioninitincludes\CMB2\init.php:131

actioncmb2_render_post_search_ajaxincludes\cmb2-field-post-search-ajax\cmb-field-post-search-ajax.php:34

actioncmb2_sanitize_post_search_ajaxincludes\cmb2-field-post-search-ajax\cmb-field-post-search-ajax.php:35

actioncmb2_initincludes\cmb2-field-post-search-ajax\example-field-setup.php:81

actionplugins_loadedwp-popup.php:50

Maintenance & Trust

WP Popup Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 3, 2025

PHP min version

Downloads14K

Community Trust

Rating84/100

Number of ratings6

Active installs900

Alternatives

WP Popup Alternatives

Modal Window – create popup modal window

modal-window

WordPress popup plugin for easily creating a popup and modal window with any kind of content and settings.

10K 7 CVEs

PWP Lytebox

pwp-lytebox

The fast and simple way to make all links pointing to images open in popup modal window.

40 No CVEs

Lightbox & Modal Popup WordPress Plugin – FooBox

foobox-image-lightbox

A responsive image lightbox for WordPress galleries, WordPress attachments & FooGallery

100K 5 CVEs

WP Lightbox 2

wp-lightbox-2

WP Lightbox 2 adds stunning lightbox effects to images and galleries on your WordPress site.

30K 3 CVEs

Video PopUp

video-popup

100

The ultimate Video Popup plugin for WordPress. Create unlimited and responsive popups for YouTube, Vimeo, MP4 & WebM videos on click or On-Page Load.

20K 1 CVE

Developer Profile

WP Popup Developer Profile

cornershop

9 plugins · 12K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

70 days

View full developer profile

Detection Fingerprints

How We Detect WP Popup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ