WP Popup Builder – Popup Forms and Marketing Lead Generation Security & Risk Analysis

The wp-popup-builder plugin v1.3.6 exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to WordPress security best practices with 100% output escaping and the widespread use of prepared statements for SQL queries. All identified entry points (AJAX handlers, REST API routes, shortcodes, cron events) appear to have authorization checks, and nonces are implemented for most AJAX handlers, which are excellent indicators of a secure codebase. The plugin also has no file operations or bundled libraries, further reducing potential attack vectors.

However, there are significant concerns. The presence of eight dangerous `unserialize` functions is a major red flag, as improper handling of unserialized data can lead to various vulnerabilities, including code execution. The taint analysis reveals 3 flows with unsanitized paths, all marked as high severity. This directly points to potential vulnerabilities where untrusted input can influence sensitive operations. The plugin's vulnerability history, with 4 known CVEs including unpatched high and medium severity issues, and a last reported vulnerability in late 2025, indicates a recurring pattern of security weaknesses and a current unpatched threat. This history, combined with the high-severity taint flows, suggests a real risk of exploitation.

In conclusion, while the plugin implements many secure coding practices like output escaping and prepared statements, the critical risk posed by the `unserialize` functions, high-severity unsanitized taint flows, and a history of unpatched vulnerabilities cannot be ignored. The existence of an unpatched CVE, in particular, represents an immediate threat that users must address. The plugin's overall security is compromised by these critical issues, despite its strengths in other areas.