Vulnerabilities and security researches forholler-box holler-box

Jun 06, 2026

CVE, Research URL: CVE-2026-48885
Home page URL: Security reports for Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Application: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Date: -
Research Description: HollerBox — Fast & Effective Popups & Lead-Generation [holler-box] < 2.3.11 CVE-2026-48885
Affected versions: max 2.3.11.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: ea1743a404554a3ca4ad07e78b195d7f0d893a95
Home page URL: Security reports for Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Application: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Date: May 02, 2023
Research Description: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox [holler-box] < 2.1.4 HollerBox <= 2.1.3 - Authenticated (edit_popups+) SQL Injection The HollerBox plugin for WordPress is vulnerable to generic SQL Injection via the ‘get_report_data’ function in versions up to, and including, 2.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with the 'edit_popups' capability to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note that the 'edit_popups' capability is not assigned to any user by default, though an administrator could assign it arbitrarily using a third-party plugin or directly through the database.
Affected versions: max 2.1.4.
Status: vulnerable

CVE, Research URL: CVE-2023-2111
Home page URL: Security reports for Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Application: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Date: May 30, 2023
Research Description: The Fast & Effective Popups & Lead-Generation for WordPress plugin before 2.1.4 concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database.
Affected versions: max 2.1.4.
Status: vulnerable

CVE, Research URL: CVE-2023-41657
Home page URL: Security reports for Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Application: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Date: Sep 29, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Groundhogg Inc. HollerBox plugin <= 2.3.2 versions.
Affected versions: max 2.3.3.
Status: vulnerable