WP-Safety

YITH WooCommerce Popup Security & Risk Analysis

wordpress.org/plugins/yith-woocommerce-popup

Create and customize your popup windows using templates carefully designed by YITH.

2K active installs v1.54.0 PHP 7.4+ WP 6.7+ Updated Mar 2, 2026
custom-popuppop-uppopuppopupswoocommerce-popup
97
A · Safe
CVEs total2
Unpatched0
Last CVEJul 30, 2025
Plugin page Download
Safety Verdict

Is YITH WooCommerce Popup Safe to Use in 2026?

Generally Safe

Score 97/100

YITH WooCommerce Popup has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jul 30, 2025Updated 1mo ago
Risk Assessment

The yith-woocommerce-popup plugin v1.54.0 demonstrates a generally good security posture with strong adherence to best practices. The static analysis reveals a high percentage of properly escaped outputs and a significant number of capability checks, indicating a conscious effort towards secure coding. The absence of dangerous functions, file operations, and critical or high severity taint flows is also a positive sign. However, the presence of one AJAX handler without authentication checks represents a notable weakness, potentially exposing functionality to unauthorized users. The plugin's vulnerability history, despite having no currently unpatched CVEs, shows a pattern of past high and medium severity vulnerabilities, specifically citing Cross-Site Request Forgery (CSRF) and Missing Authorization. This history suggests that while recent versions may be more secure, past issues indicate a potential for overlooking authorization or input validation in certain areas. The plugin benefits from a robust number of nonce checks and a low count of SQL queries without prepared statements. Overall, the plugin is in good standing, but the single unprotected AJAX endpoint and the historical trend of authorization-related vulnerabilities warrant attention and continued vigilance.

Key Concerns

  • AJAX handler without auth checks
  • History of high severity vulnerabilities
  • History of medium severity vulnerabilities
Vulnerabilities
2

YITH WooCommerce Popup Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-54675medium · 4.3Cross-Site Request Forgery (CSRF)

YITH WooCommerce Popup <= 1.48.0 - Cross-Site Request Forgery

Jul 30, 2025 Patched in 1.48.1 (6d)
WF-b948574a-0aab-4596-83e6-04be21f78bc1-yith-woocommerce-popuphigh · 7.1Missing Authorization

YITH plugins by YITHEMES <= (Various Versions) - Missing Authorization

Nov 11, 2022 Patched in 1.21.1 (438d)
Code Analysis
Analyzed Mar 16, 2026

YITH WooCommerce Popup Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
5 prepared
Unescaped Output
112
1675 escaped
Nonce Checks
18
Capability Checks
16
File Operations
0
External Requests
7
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

83% prepared6 total queries

Output Escaping

94% escaped1787 total outputs
Data Flows
All sanitized

Data Flow Analysis

18 flows
change_status (includes\class-yith-popup-admin.php:320)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

YITH WooCommerce Popup Attack Surface

Entry Points10
Unprotected1

AJAX Handlers 10

authwp_ajax_ypop_change_statusincludes\class-yith-popup-admin.php:100
noprivwp_ajax_ypop_change_statusincludes\class-yith-popup-admin.php:101
authwp_ajax_ypop_subscribe_mailchimp_userincludes\newsletter-integration\Mailchimp.php:153
noprivwp_ajax_ypop_subscribe_mailchimp_userincludes\newsletter-integration\Mailchimp.php:154
authwp_ajax_ypop_refresh_mailchimp_listincludes\newsletter-integration\Mailchimp.php:256
authwp_ajax_yith_plugin_fw_gutenberg_do_shortcodeplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:63
authwp_ajax_yith_plugin_fw_save_toggle_element_metaboxplugin-fw\includes\class-yit-metabox.php:86
authwp_ajax_yith_plugin_fw_save_toggle_elementplugin-fw\includes\class-yit-plugin-panel.php:138
authwp_ajax_yith_bh_onboardingplugin-fw\includes\class-yith-bh-onboarding.php:37
authwp_ajax_yith_create_log_fileplugin-fw\includes\class-yith-system-status.php:101
WordPress Hooks 116
filteryith_show_plugin_row_metaincludes\class-yith-popup-admin.php:93
actionadmin_enqueue_scriptsincludes\class-yith-popup-admin.php:96
filteryit_fw_metaboxes_type_argsincludes\class-yith-popup-admin.php:98
filteryit_fw_metaboxes_type_argsincludes\class-yith-popup-admin.php:103
filteryith_plugin_fw_metabox_classincludes\class-yith-popup-admin.php:104
actionadmin_menuincludes\class-yith-popup-admin.php:141
actionyith_ypop_premium_tabincludes\class-yith-popup-admin.php:142
actiontemplate_redirectincludes\class-yith-popup-frontend.php:82
actionwp_enqueue_scriptsincludes\class-yith-popup-frontend.php:85
actionwp_enqueue_scriptsincludes\class-yith-popup-frontend.php:119
actionwp_footerincludes\class-yith-popup-frontend.php:120
actioninitincludes\class-yith-popup.php:82
actionadmin_initincludes\class-yith-popup.php:83
actionbefore_woocommerce_initincludes\class-yith-popup.php:88
filteryith-popup-newsletter-integration-typeincludes\newsletter-integration\Mailchimp.php:52
filteryith-popup-newsletter-metaboxincludes\newsletter-integration\Mailchimp.php:53
actionadmin_enqueue_scriptsincludes\newsletter-integration\Mailchimp.php:259
actionadmin_noticesinit.php:41
actionplugins_loadedinit.php:120
actionadmin_noticesinit.php:139
actionyith_ypop_initinit.php:163
actionelementor/elements/categories_registeredplugin-fw\includes\builders\elementor\class-yith-elementor.php:50
actionelementor/editor/after_enqueue_stylesplugin-fw\includes\builders\elementor\class-yith-elementor.php:52
actionelementor/frontend/after_enqueue_stylesplugin-fw\includes\builders\elementor\class-yith-elementor.php:53
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:60
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:61
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:62
actionwc_ajax_yith_plugin_fw_gutenberg_do_shortcodeplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:64
actioninitplugin-fw\includes\class-yit-assets.php:47
actionelementor/editor/before_enqueue_stylesplugin-fw\includes\class-yit-assets.php:48
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-assets.php:50
actioninitplugin-fw\includes\class-yit-assets.php:52
actionshould_load_block_editor_scripts_and_stylesplugin-fw\includes\class-yit-assets.php:53
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-icons.php:970
actionwp_enqueue_scriptsplugin-fw\includes\class-yit-icons.php:971
actionadd_meta_boxesplugin-fw\includes\class-yit-metabox.php:80
actionsave_postplugin-fw\includes\class-yit-metabox.php:81
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-metabox.php:82
filteryit_icons_screen_idsplugin-fw\includes\class-yit-metabox.php:84
filteradmin_body_classplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:93
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:94
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:95
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:96
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:97
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:98
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:99
filterwoocommerce_screen_idsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:100
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:102
actionyith_plugin_fw_get_field_afterplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:104
actionadmin_action_yith_plugin_fw_save_toggle_elementplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:105
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:106
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:108
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:109
filteryith_plugin_fw_premium_landing_uriplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:112
actionwoocommerce_admin_field_boxinfoplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:126
actionwoocommerce_admin_field_yith-fieldplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:127
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:129
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:132
filteradd_menu_classesplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:134
filteradmin_body_classplugin-fw\includes\class-yit-plugin-panel.php:121
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:122
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:123
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:124
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-panel.php:125
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:126
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:128
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:129
filteryith_plugin_fw_premium_landing_uriplugin-fw\includes\class-yit-plugin-panel.php:132
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:137
actionall_admin_noticesplugin-fw\includes\class-yit-plugin-panel.php:242
actionadmin_footerplugin-fw\includes\class-yit-plugin-panel.php:243
filterparent_fileplugin-fw\includes\class-yit-plugin-panel.php:245
filtersubmenu_fileplugin-fw\includes\class-yit-plugin-panel.php:246
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:259
filteradd_menu_classesplugin-fw\includes\class-yit-plugin-panel.php:260
filterremovable_query_argsplugin-fw\includes\class-yit-plugin-panel.php:261
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:1081
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:1082
actionadmin_footerplugin-fw\includes\class-yit-plugin-panel.php:1213
actionadmin_initplugin-fw\includes\class-yit-plugin-subpanel.php:44
actionadmin_menuplugin-fw\includes\class-yit-plugin-subpanel.php:45
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-subpanel.php:46
actionadmin_initplugin-fw\includes\class-yit-plugin-subpanel.php:47
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-subpanel.php:48
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-pointers.php:118
actionadmin_initplugin-fw\includes\class-yit-pointers.php:119
actionyith_bh_onboardingplugin-fw\includes\class-yith-bh-onboarding.php:36
actionwp_dashboard_setupplugin-fw\includes\class-yith-dashboard.php:146
actionadmin_enqueue_scriptsplugin-fw\includes\class-yith-dashboard.php:147
actionadmin_initplugin-fw\includes\class-yith-post-type-admin.php:65
actioncurrent_screenplugin-fw\includes\class-yith-post-type-admin.php:67
actionedit_form_topplugin-fw\includes\class-yith-post-type-admin.php:70
actionmanage_posts_extra_tablenavplugin-fw\includes\class-yith-post-type-admin.php:119
actionmanage_posts_extra_tablenavplugin-fw\includes\class-yith-post-type-admin.php:120
actionrestrict_manage_postsplugin-fw\includes\class-yith-post-type-admin.php:122
filterrequestplugin-fw\includes\class-yith-post-type-admin.php:123
filterlist_table_primary_columnplugin-fw\includes\class-yith-post-type-admin.php:125
filterpost_row_actionsplugin-fw\includes\class-yith-post-type-admin.php:126
filterpage_row_actionsplugin-fw\includes\class-yith-post-type-admin.php:127
filterdefault_hidden_columnsplugin-fw\includes\class-yith-post-type-admin.php:129
actiondisable_months_dropdownplugin-fw\includes\class-yith-post-type-admin.php:137
filteradmin_body_classplugin-fw\includes\class-yith-system-status.php:95
actionadmin_menuplugin-fw\includes\class-yith-system-status.php:96
actionadmin_initplugin-fw\includes\class-yith-system-status.php:97
actionadmin_noticesplugin-fw\includes\class-yith-system-status.php:98
actionadmin_enqueue_scriptsplugin-fw\includes\class-yith-system-status.php:99
actioninitplugin-fw\includes\class-yith-system-status.php:100
filteryith_plugin_fw_privacy_guide_contentplugin-fw\includes\privacy\class-yith-privacy-plugin-abstract.php:39
actionadmin_initplugin-fw\includes\privacy\class-yith-privacy.php:50
actionplugins_loadedplugin-fw\init.php:94
filterextra_theme_headersplugin-fw\yit-functions.php:602
filteryit_title_special_charactersplugin-fw\yit-functions.php:726
filterplugin_row_metaplugin-fw\yit-plugin.php:56
actionadmin_noticesplugin-fw\yit-plugin.php:298
actionplugins_loadedplugin-fw\yit-plugin.php:300
actionshutdownplugin-fw\yit-woocommerce-compatibility.php:765
Maintenance & Trust

YITH WooCommerce Popup Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 2, 2026
PHP min version7.4
Downloads282K

Community Trust

Rating48/100
Number of ratings11
Active installs2K
Alternatives

YITH WooCommerce Popup Alternatives

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

ays-popup-box

A
92

Build flexible popups and modal windows with multiple popup types, triggers, and display controls.

50K 17 CVEs
Brave Popup Builder – Popup, Optins, Lead Generation, Survey & Interactive Content

Brave Popup Builder – Popup, Optins, Lead Generation, Survey & Interactive Content

brave-popup-builder

A
92

The best drag-and-drop Popup Builder for WordPress. Create Popups, exit-intent popups, slide-ins, and lead generation forms & Woocommerce popups i &hellip;

20K 5 CVEs
Poptin – Exit Pop Ups & Email Popups

Poptin – Exit Pop Ups & Email Popups

poptin

A
100

Free exit intent popup builder, gamified popups with spin the wheel, contact form builder & lead generation pop ups platform for your website. 🎉

20K 1 CVE
Pop-up

Pop-up

pop-up-pop-up

A
99

Pop-up Popups

10K 2 CVEs
Modal Popup Box: A Flexible Pop Up Box Builder

Modal Popup Box: A Flexible Pop Up Box Builder

modal-popup-box

A
94

Create and manage a customizable pop up box on your WordPress website. Embed anything from videos and images to forms and shortcodes.

2K 2 CVEs
Developer Profile

YITH WooCommerce Popup Developer Profile

YITHEMES

33 plugins · 1.1M total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
411 days
View full developer profile
Detection Fingerprints

How We Detect YITH WooCommerce Popup

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/yith-woocommerce-popup/assets/css/yith-popup.css/wp-content/plugins/yith-woocommerce-popup/assets/css/yith-popup.css.map/wp-content/plugins/yith-woocommerce-popup/assets/js/yith-popup.js/wp-content/plugins/yith-woocommerce-popup/assets/js/yith-popup.js.map/wp-content/plugins/yith-woocommerce-popup/assets/css/backend.css/wp-content/plugins/yith-woocommerce-popup/assets/js/backend.js/wp-content/plugins/yith-woocommerce-popup/plugin-fw/vendor/wp-plugin-fw/assets/css/plugin-fw.css/wp-content/plugins/yith-woocommerce-popup/plugin-fw/vendor/wp-plugin-fw/assets/js/plugin-fw.js+2 more
Script Paths
/wp-content/plugins/yith-woocommerce-popup/assets/js/yith-popup.js/wp-content/plugins/yith-woocommerce-popup/assets/js/backend.js
Version Parameters
/wp-content/plugins/yith-woocommerce-popup/assets/css/yith-popup.css?ver=/wp-content/plugins/yith-woocommerce-popup/assets/js/yith-popup.js?ver=/wp-content/plugins/yith-woocommerce-popup/assets/css/backend.css?ver=/wp-content/plugins/yith-woocommerce-popup/assets/js/backend.js?ver=/wp-content/plugins/yith-woocommerce-popup/plugin-fw/vendor/wp-plugin-fw/assets/css/plugin-fw.css?ver=/wp-content/plugins/yith-woocommerce-popup/plugin-fw/vendor/wp-plugin-fw/assets/js/plugin-fw.js?ver=/wp-content/plugins/yith-woocommerce-popup/plugin-fw/vendor/wp-plugin-fw/assets/js/vue-template-compiler.min.js?ver=/wp-content/plugins/yith-woocommerce-popup/plugin-fw/vendor/wp-plugin-fw/assets/js/vue.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
yith-popup-wrapperyith-popup-overlayyith-popup-contentyith-popup-closeyith-popup-triggeryith-ypop-noticeyith-popup-popup
HTML Comments
<!-- Exit if accessed directly. --><!-- Premium installed notice. --><!-- Registration hook ________________________________________. --><!-- Define constants ________________________________________. -->+17 more
Data Attributes
data-yith-popup-iddata-ypop-popup-iddata-ypop-iddata-ypop-cookiedata-ypop-urldata-ypop-width+2 more
JS Globals
window.YITH_Popup_Frontendwindow.YITH_Popupvar YITH_YPOP_VERSION = '1.54.0';var YITH_YPOP_FREE_INIT = 'yith-woocommerce-popup/init.php';var YITH_YPOP_INIT = 'yith-woocommerce-popup/init.php';var YITH_YPOP_FILE = '.../wp-content/plugins/yith-woocommerce-popup/init.php';+8 more
FAQ

Frequently Asked Questions about YITH WooCommerce Popup