Vulnerabilities and security researches forpopup-maker popup-maker
Direction: ascendingJun 07, 2024
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-3690
- CVE, Research URL
- Date
- Nov 21, 2022
- Research Description
- The Popup Maker WordPress plugin before 1.16.11 does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins
- Affected versions
-
max 1.16.11.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-1104
- CVE, Research URL
- Date
- May 09, 2022
- Research Description
- The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
- Affected versions
-
max 1.16.5.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-4362
- CVE, Research URL
- Date
- Jan 03, 2023
- Research Description
- The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
- Affected versions
-
max 1.16.9.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2017-2284
- CVE, Research URL
- Date
- Aug 02, 2017
- Research Description
- Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- Affected versions
-
max 1.6.5.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2019-17574
- CVE, Research URL
- Date
- Oct 14, 2019
- Research Description
- An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").
- Affected versions
-
max 1.8.13.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-4381
- CVE, Research URL
- Date
- Jan 03, 2023
- Research Description
- The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
- Affected versions
-
max 1.16.9.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-47597
- CVE, Research URL
- Date
- Dec 20, 2023
- Research Description
- Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker – Popup for opt-ins, lead gen, & more.This issue affects Popup Maker – Popup for opt-ins, lead gen, & more: from n/a through 1.17.1.
- Affected versions
-
max 1.18.0.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-2336
- CVE, Research URL
- Date
- Apr 10, 2024
- Research Description
- The Popup Maker – Popup for opt-ins, lead gen, & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.18.3.
- Status
-
vulnerable
Jun 10, 2024
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-45819
- CVE, Research URL
- Date
- Dec 13, 2024
- Research Description
- Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1.
- Affected versions
-
max 1.18.0.
- Status
-
vulnerable
Aug 20, 2024
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-7054
- CVE, Research URL
- Date
- Aug 20, 2024
- Research Description
- The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘close_text’ parameter in all versions up to, and including, 1.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.19.1.
- Status
-
vulnerable
Sep 11, 2024
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-5561
- CVE, Research URL
- Date
- Sep 09, 2024
- Research Description
- The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
- Affected versions
-
max 1.19.1.
- Status
-
vulnerable
Oct 03, 2024
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-47358
- CVE, Research URL
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in Daniel Iser Popup Maker popup-maker.This issue affects Popup Maker: from n/a through <= 1.19.2.
- Affected versions
-
max 1.20.0.
- Status
-
vulnerable
Dec 12, 2024
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-10583
- CVE, Research URL
- Date
- Dec 12, 2024
- Research Description
- The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_title’ parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.20.3.
- Status
-
vulnerable
Jan 25, 2025
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2025-24746
- CVE, Research URL
- Date
- Jan 24, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Popup Maker popup-maker allows Stored XSS.This issue affects Popup Maker: from n/a through <= 1.20.2.
- Affected versions
-
max 1.20.3.
- Status
-
vulnerable
Jun 06, 2025
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2025-4205
- CVE, Research URL
- Date
- Jun 03, 2025
- Research Description
- The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popupID' parameter in all versions up to, and including, 1.20.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.20.5.
- Status
-
vulnerable
Nov 09, 2025
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2025-9490
- CVE, Research URL
- Date
- Sep 26, 2025
- Research Description
- The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.20.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.21.0.
- Status
-
vulnerable
Jun 13, 2026
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2023-33999
- CVE, Research URL
- Date
- Jun 11, 2026
- Research Description
- Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
- Affected versions
-
max 1.10.0.
- Status
-
vulnerable
Jun 16, 2026
Popup Maker – Popup for opt-ins, lead gen, & more # 6ff37c2e-e21d-4abc-bafe-8ca6a2c1ed76
- CVE, Research URL
- Date
- -
- Research Description
- Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.8.3 Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update The library, used in numerous plugins, does not have proper authorisation when updating blog options, allowing any authenticated users, such as subscriber to update arbitrary options
- Affected versions
-
max 1.8.3.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # 138af3136b67b000f20b74ce5d3071ef77150667
- CVE, Research URL
- Date
- Sep 26, 2022
- Research Description
- Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.16.9 Popup Maker <= 1.16.8 - Authenticated (Contributor+) Cross-Site Scripting The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup body content in versions up to, and including, 1.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.16.9.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # 7e57cd4f4859826de00a8e2b09ee24fb7f2d824b
- CVE, Research URL
- Date
- Feb 25, 2019
- Research Description
- Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.8.3 Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update The Freemius SDK for WordPress is vulnerable to authorization bypass due to a missing capability check on the _get_db_option and _set_db_option functions in versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change site settings and potentially take over the site.
- Affected versions
-
max 1.8.3.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # 474920b53a3f66864948949f8baa9e89ab06023b
- CVE, Research URL
- Date
- Mar 08, 2023
- Research Description
- Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.1 Popup Maker <= 1.18.0 - Cross-Site Request Forgery via init The Popup Maker plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.18.0. This is due to missing or incorrect nonce validation on the 'init' function. This makes it possible for unauthenticated attackers to flush the popup cache via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 1.18.1.
- Status
-
vulnerable
Popup Maker – Popup for opt-ins, lead gen, & more # c5aa28f4a3ad15c66fb8396a3d2622eb4d13577b
- CVE, Research URL
- Date
- Mar 09, 2023
- Research Description
- Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.1 WordPress Popup Maker Plugin <= 1.18.0 is vulnerable to Cross Site Request Forgery (CSRF) Update the WordPress Popup Maker plugin to the latest available version (at least 1.18.1). Unknown discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Popup Maker Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 1.18.1.
- Affected versions
-
max 1.18.1.
- Status
-
vulnerable
Jul 09, 2026
Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2026-8848
- CVE, Research URL
- Date
- Jul 09, 2026
- Research Description
- The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with editor-level access and above, to install and activate an arbitrary plugin from an attacker-controlled URL, leading to remote code execution. Exploitation requires that a valid Popup Maker Pro license is active on the target site and that Popup Maker Pro is not yet installed, as these conditions are necessary for the legacy v1/connect/info endpoint to issue the bearer token used to satisfy the install endpoint's only non-spoofable validation check.
- Affected versions
-
max 1.23.0.
- Status
-
vulnerable