Does WP Tactical Popup have any unpatched vulnerabilities?

Yes — WP Tactical Popup currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Tactical Popup compatible with WordPress 4.5.33?

According to WordPress.org data, WP Tactical Popup 1.1 has been tested up to WordPress 4.5.33. Check the plugin's changelog for the latest compatibility information.

How often is WP Tactical Popup updated?

WP Tactical Popup was last updated on Jun 3, 2016. Frequent updates are generally a positive security signal.

What is WP Tactical Popup's security score?

WP Tactical Popup has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Tactical Popup Security & Risk Analysis

wordpress.org/plugins/wp-tactical-popup

Capture your visitors attentions with lightboxes. Show email opt-in lightboxes (popups), html popups and image popups.

50 active installs v1.1 PHP + WP 3.0+ Updated Jun 3, 2016

email-opt-inemail-popuphtmlaweberimagepopup

C · Use Caution

CVEs total1

Unpatched1

Last CVESep 16, 2025

Plugin page Download

Safety Verdict

Is WP Tactical Popup Safe to Use in 2026?

Use With Caution

Score 63/100

WP Tactical Popup has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 16, 2025Updated 9yr ago

Risk Assessment

The wp-tactical-popup plugin version 1.1 presents a significant security risk due to several critical findings in its static analysis. A primary concern is the presence of two AJAX handlers that lack authentication checks, creating an easily exploitable attack surface. Furthermore, the plugin uses the dangerous `unserialize` function four times, which is a known vector for remote code execution if user-controlled data is not properly sanitized before being serialized and unserialized. The complete lack of output escaping for all 23 identified output points is a glaring vulnerability, making cross-site scripting (XSS) attacks highly probable.

The vulnerability history indicates a concerning pattern. The plugin has a known CVE, which is currently unpatched and classified as medium severity. This, combined with the common vulnerability type being Cross-site Scripting, reinforces the static analysis findings regarding the lack of output escaping and suggests that previous security issues have not been adequately addressed. While the plugin doesn't appear to have critical taint flows or raw SQL issues without prepared statements, the combination of unprotected entry points, the dangerous use of `unserialize`, and pervasive output escaping failures, alongside a history of unpatched XSS vulnerabilities, paints a picture of a plugin that requires immediate attention.

Key Concerns

Unprotected AJAX handlers
Use of dangerous unserialize function
No output escaping
Unpatched medium severity CVE
Missing capability checks on AJAX

Vulnerabilities

WP Tactical Popup Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-58921medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Tactical Popup <= 1.1 - Reflected Cross-Site Scripting

Sep 16, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WP Tactical Popup Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$popup['popup_data'] = (isset($popup['popup_data'])) ? unserialize($popup['popup_data']) : array();class-popup.php:41

unserialize$popup['b'] = (isset($popup['behaviour'])) ? unserialize($popup['behaviour']) : array();class-popup.php:42

unserialize$data['popup_data'] = unserialize($data['popup_data']);models\class-popup-model.php:52

unserialize$data['b'] = unserialize($data['behaviour']);models\class-popup-model.php:58

SQL Query Safety

46% prepared13 total queries

Output Escaping

0% escaped23 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

save (includes\class-admin-view-simple.php:22)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

WP Tactical Popup Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_wppt-doindex.php:38

noprivwp_ajax_wppt-doindex.php:39

WordPress Hooks 7

actionadmin_menuadmin.php:28

actioncurrent_screenadmin.php:29

actionadmin_enqueue_scriptsadmin.php:33

actionadmin_enqueue_scriptsadmin.php:40

actionwpindex.php:40

actionwp_enqueue_scriptsindex.php:56

actionadmin_bar_menuindex.php:57

Maintenance & Trust

WP Tactical Popup Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33

Last updatedJun 3, 2016

PHP min version

Downloads7K

Community Trust

Rating96/100

Number of ratings5

Active installs50

Alternatives

WP Tactical Popup Alternatives

Lightbox & Modal Popup WordPress Plugin – FooBox

foobox-image-lightbox

A responsive image lightbox for WordPress galleries, WordPress attachments & FooGallery

100K 5 CVEs

Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions

popup-anything-on-click

Create popup on a page load or Create popup by clicking link, image and button. Create popups, opt-in forms, & exit popups, floating bars and more!

30K 4 CVEs

WP Lightbox 2

wp-lightbox-2

WP Lightbox 2 adds stunning lightbox effects to images and galleries on your WordPress site.

30K 4 CVEs

Album and Image Gallery Plus Lightbox

album-and-image-gallery-plus-lightbox

A quick, easy way to display responsive image gallery and image album in a grid or slider with light box. Also work with Gutenberg shortcode block.

9K 4 CVEs

AI Popup Builder & Popup Maker by OptiMonk

exit-intent-popups-by-optimonk

100

💥 Popups, supercharged: One platform. Hundreds of use cases. Increase sales & subscribers with popups visitors actually 🧡 love.

4K 1 CVE

Developer Profile

WP Tactical Popup Developer Profile

Arevico

4 plugins · 110 total installs

trust score

Avg Security Score

74/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP Tactical Popup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-tactical-popup/includes/modal/mp.css/wp-content/plugins/wp-tactical-popup/includes/modal/mp.js/wp-content/plugins/wp-tactical-popup/includes/admin-style/admin.css/wp-content/plugins/wp-tactical-popup/includes/tab/tab-simple.js/wp-content/plugins/wp-tactical-popup/includes/chart/chart.js/wp-content/plugins/wp-tactical-popup/includes/jscolor/jscolor.js

Script Paths

/wp-content/plugins/wp-tactical-popup/includes/modal/mp.js

Version Parameters

wp-tactical-popup/includes/modal/mp.css?ver=wp-tactical-popup/includes/modal/mp.js?ver=wp-tactical-popup/includes/admin-style/admin.css?ver=wp-tactical-popup/includes/tab/tab-simple.js?ver=wp-tactical-popup/includes/chart/chart.js?ver=wp-tactical-popup/includes/jscolor/jscolor.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpptlb-tact-css

Data Attributes

data-popup-id

JS Globals

wpptlb_tact

REST Endpoints

/wp-json/wppt-do

FAQ