WP-Safety

WP Popup Builder – Popup Forms and Marketing Lead Generation Security & Risk Analysis

wordpress.org/plugins/wp-popup-builder

WP Popup Builder is a powerful tool to create amazing popup for your site. Its drag and drop feature help to create form in very easy step without hav …

3K active installs v1.3.6 PHP + WP 5.5+ Updated Oct 10, 2024
popuppopup-builderpopup-makerpopupswp-popup
61
C · Use Caution
CVEs total4
Unpatched1
Last CVESep 27, 2025
Download
Safety Verdict

Is WP Popup Builder – Popup Forms and Marketing Lead Generation Safe to Use in 2026?

Use With Caution

Score 61/100

WP Popup Builder – Popup Forms and Marketing Lead Generation has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

4 known CVEs 1 unpatched Last CVE: Sep 27, 2025Updated 1yr ago
Risk Assessment

The wp-popup-builder plugin v1.3.6 exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to WordPress security best practices with 100% output escaping and the widespread use of prepared statements for SQL queries. All identified entry points (AJAX handlers, REST API routes, shortcodes, cron events) appear to have authorization checks, and nonces are implemented for most AJAX handlers, which are excellent indicators of a secure codebase. The plugin also has no file operations or bundled libraries, further reducing potential attack vectors.

However, there are significant concerns. The presence of eight dangerous `unserialize` functions is a major red flag, as improper handling of unserialized data can lead to various vulnerabilities, including code execution. The taint analysis reveals 3 flows with unsanitized paths, all marked as high severity. This directly points to potential vulnerabilities where untrusted input can influence sensitive operations. The plugin's vulnerability history, with 4 known CVEs including unpatched high and medium severity issues, and a last reported vulnerability in late 2025, indicates a recurring pattern of security weaknesses and a current unpatched threat. This history, combined with the high-severity taint flows, suggests a real risk of exploitation.

In conclusion, while the plugin implements many secure coding practices like output escaping and prepared statements, the critical risk posed by the `unserialize` functions, high-severity unsanitized taint flows, and a history of unpatched vulnerabilities cannot be ignored. The existence of an unpatched CVE, in particular, represents an immediate threat that users must address. The plugin's overall security is compromised by these critical issues, despite its strengths in other areas.

Key Concerns

  • Unpatched CVE (1 high)
  • High severity unsanitized taint flows (3)
  • Dangerous function usage (unserialize)
  • Vulnerability history (4 total CVEs)
  • Vulnerability history (medium severity CVEs)
Vulnerabilities
4

WP Popup Builder – Popup Forms and Marketing Lead Generation Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
1 CVE in 2024
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
2

4 total CVEs

CVE-2025-62902medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WP Popup Builder <= 1.3.6 - Unauthenticated Information Exposure

Sep 27, 2025Unpatched
CVE-2024-9061high · 7.3Improper Control of Generation of Code ('Code Injection')

WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add

Oct 15, 2024 Patched in 1.3.6 (1d)
CVE-2022-2405high · 7.5Missing Authorization

WP Popup Builder <= 1.2.9 - Missing Authorization and Cross-Site Request Forgery

Sep 5, 2022 Patched in 1.3.0 (505d)
CVE-2022-2404medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Popup Builder <= 1.2.8 - Reflected Cross-Site Scripting

Sep 5, 2022 Patched in 1.2.9 (505d)
Code Analysis
Analyzed Mar 16, 2026

WP Popup Builder – Popup Forms and Marketing Lead Generation Code Analysis

Dangerous Functions
8
Raw SQL Queries
1
12 prepared
Unescaped Output
2
474 escaped
Nonce Checks
9
Capability Checks
9
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserializeif ($setting && @unserialize($setting)) {admin\db.php:153
unserialize$allSetting = unserialize($setting);admin\db.php:173
unserializeif (isset($value->boption) && isset($value->setting) && @unserialize($value->boption)) {front\load.php:46
unserialize$option = unserialize($value->boption);inc\popup-init.php:386
unserializeif (isset($customAddon->boption) && $customAddon->boption != '') $addon_option = unserialize($custominc\popup.php:27
unserialize$allSetting = unserialize($customAddon->setting);inc\popup.php:29
unserialize$allSetting = unserialize($popupValue->setting);inc\popups-page.php:74
unserialize$bOption = unserialize($popupValue->boption);inc\popups-page.php:80

SQL Query Safety

92% prepared13 total queries

Output Escaping

100% escaped476 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

6 flows3 with unsanitized paths
shortcode_Api_Add (admin\ajax.php:126)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Popup Builder – Popup Forms and Marketing Lead Generation Attack Surface

Entry Points11
Unprotected0

AJAX Handlers 10

authwp_ajax_custom_insertadmin\ajax.php:9
authwp_ajax_custom_updateadmin\ajax.php:10
authwp_ajax_delete_popupadmin\ajax.php:11
authwp_ajax_popup_activeadmin\ajax.php:12
authwp_ajax_option_updateadmin\ajax.php:14
authwp_ajax_getLeadFormadmin\ajax.php:16
authwp_ajax_activate_lead_formadmin\ajax.php:18
authwp_ajax_shortcode_Api_Addadmin\ajax.php:20
noprivwp_ajax_shortcode_Api_Addadmin\ajax.php:21
authwp_ajax_themehunk_activepluginadmin\themehunk-menu\admin-menu.php:7

Shortcodes 1

[wppb] front\shortcode.php:8
WordPress Hooks 14
actionadmin_menuadmin\inc.php:14
actionadmin_enqueue_scriptsadmin\inc.php:15
actionwp_enqueue_scriptsadmin\inc.php:16
actionadmin_initadmin\inc.php:93
actionadmin_menuadmin\themehunk-menu\admin-menu.php:8
actionadmin_enqueue_scriptsadmin\themehunk-menu\admin-menu.php:9
actionwp_footerfront\load.php:8
actionwp_footerfront\load.php:10
actionadmin_initnotify\notify.php:17
actionadmin_noticesnotify\notify.php:24
actionadmin_enqueue_scriptsnotify\notify.php:25
actionadmin_noticesnotify\notify.php:31
actionplugins_loadedwp-popup-builder.php:23
filterplugin_row_metawp-popup-builder.php:41
Maintenance & Trust

WP Popup Builder – Popup Forms and Marketing Lead Generation Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedOct 10, 2024
PHP min version
Downloads219K

Community Trust

Rating70/100
Number of ratings2
Active installs3K
Alternatives

WP Popup Builder – Popup Forms and Marketing Lead Generation Alternatives

WP Popups – WordPress Popup builder

WP Popups – WordPress Popup builder

wp-popups-lite

A
95

WP Popups is the best popup maker for WordPress. Easy but powerful plugin with display filters, scroll-triggered popups, and Gutenberg block editor.

30K 6 CVEs
CM Pop-Up – Create engaging popups to capture attention and boost interaction

CM Pop-Up – Create engaging popups to capture attention and boost interaction

cm-pop-up-banners

A
94

Create and customize popups. Display messages, Call to actions, promotions, or announcements to engage visitors and boost interaction.

9K 5 CVEs
Modal Popup Box: A Flexible Pop Up Box Builder

Modal Popup Box: A Flexible Pop Up Box Builder

modal-popup-box

A
94

Create and manage a customizable pop up box on your WordPress website. Embed anything from videos and images to forms and shortcodes.

2K 2 CVEs
Pretty Simple Popup Builder

Pretty Simple Popup Builder

pretty-simple-popup-builder

A
99

Build perfect popups in minutes. Modern, responsive templates and simple setup. Age verify compatible option.

200 2 CVEs
Popup Builder – Create highly converting, mobile friendly marketing popups.

Popup Builder – Create highly converting, mobile friendly marketing popups.

popup-builder

B
76

Increase Sales, Lead Generation, Conversion rates and receive good Call to Action rates with smart WordPress popup plugin.

200K 23 CVEs
Developer Profile

WP Popup Builder – Popup Forms and Marketing Lead Generation Developer Profile

ThemeHunk

48 plugins · 66K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
189 days
View full developer profile
Detection Fingerprints

How We Detect WP Popup Builder – Popup Forms and Marketing Lead Generation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-popup-builder/css/style.css/wp-content/plugins/wp-popup-builder/css/popup-style.css/wp-content/plugins/wp-popup-builder/css/rl_i_editor.css/wp-content/plugins/wp-popup-builder/js/script.js/wp-content/plugins/wp-popup-builder/css/fstyle.css/wp-content/plugins/wp-popup-builder/js/fscript.js/wp-content/plugins/wp-popup-builder/js/color/nano.min.css/wp-content/plugins/wp-popup-builder/js/color/pickr.es5.min.js
Script Paths
/wp-content/plugins/wp-popup-builder/js/script.js/wp-content/plugins/wp-popup-builder/js/fscript.js/wp-content/plugins/wp-popup-builder/js/color/pickr.es5.min.js
Version Parameters
wp-popup-builder/css/style.css?ver=wp-popup-builder/css/popup-style.css?ver=wp-popup-builder/css/rl_i_editor.css?ver=wp-popup-builder/js/script.js?ver=wp-popup-builder/css/fstyle.css?ver=wp-popup-builder/js/fscript.js?ver=wp-popup-builder/js/color/nano.min.css?ver=wp-popup-builder/js/color/pickr.es5.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
wppb-containerwppb-popup-content
Data Attributes
data-wppb-id
JS Globals
wppb_ajax_backend
Shortcode Output
[wp_popup_builder
FAQ

Frequently Asked Questions about WP Popup Builder – Popup Forms and Marketing Lead Generation