cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forpopup-maker popup-maker

Direction: ascending
Jun 07, 2024

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-3690

CVE, Research URL

CVE-2022-3690

Date
Nov 21, 2022
Research Description
The Popup Maker WordPress plugin before 1.16.11 does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins
Affected versions
max 1.16.11.
Status
vulnerable

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-1104

CVE, Research URL

CVE-2022-1104

Date
May 09, 2022
Research Description
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Affected versions
max 1.16.5.
Status
vulnerable

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-4362

CVE, Research URL

CVE-2022-4362

Date
Jan 03, 2023
Research Description
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
Affected versions
max 1.16.9.
Status
vulnerable

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2017-2284

CVE, Research URL

CVE-2017-2284

Date
Aug 02, 2017
Research Description
Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected versions
max 1.6.5.
Status
vulnerable

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2019-17574

CVE, Research URL

CVE-2019-17574

Date
Oct 14, 2019
Research Description
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").
Affected versions
max 1.8.13.
Status
vulnerable

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-4381

CVE, Research URL

CVE-2022-4381

Date
Jan 03, 2023
Research Description
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
Affected versions
max 1.16.9.
Status
vulnerable

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-47597

CVE, Research URL

CVE-2022-47597

Date
Dec 20, 2023
Research Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker – Popup for opt-ins, lead gen, & more.This issue affects Popup Maker – Popup for opt-ins, lead gen, & more: from n/a through 1.17.1.
Affected versions
max 1.18.0.
Status
vulnerable

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-2336

CVE, Research URL

CVE-2024-2336

Date
Apr 10, 2024
Research Description
The Popup Maker – Popup for opt-ins, lead gen, & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.18.3.
Status
vulnerable
Jun 10, 2024

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2022-45819

CVE, Research URL

CVE-2022-45819

Date
Dec 13, 2024
Research Description
Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1.
Affected versions
max 1.18.0.
Status
vulnerable
Aug 20, 2024

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-7054

CVE, Research URL

CVE-2024-7054

Date
Aug 20, 2024
Research Description
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘close_text’ parameter in all versions up to, and including, 1.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.19.1.
Status
vulnerable
Sep 11, 2024

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-5561

CVE, Research URL

CVE-2024-5561

Date
Sep 09, 2024
Research Description
The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions
max 1.19.1.
Status
vulnerable
Oct 03, 2024

Popup Maker – Popup for opt-ins, lead gen, & more # CVE-2024-47358

CVE, Research URL

CVE-2024-47358

Date
Nov 01, 2024
Research Description
Missing Authorization vulnerability in Daniel Iser Popup Maker popup-maker.This issue affects Popup Maker: from n/a through <= 1.19.2.
Affected versions
max 1.20.0.
Status
vulnerable
Dec 12, 2024

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # CVE-2024-10583

CVE, Research URL

CVE-2024-10583

Date
Dec 12, 2024
Research Description
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_title’ parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.20.3.
Status
vulnerable
Jan 25, 2025

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # CVE-2025-24746

CVE, Research URL

CVE-2025-24746

Date
Jan 24, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Popup Maker popup-maker allows Stored XSS.This issue affects Popup Maker: from n/a through <= 1.20.2.
Affected versions
max 1.20.3.
Status
vulnerable
Jun 06, 2025

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # CVE-2025-4205

CVE, Research URL

CVE-2025-4205

Date
Jun 03, 2025
Research Description
The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popupID' parameter in all versions up to, and including, 1.20.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.20.5.
Status
vulnerable
Nov 09, 2025

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # CVE-2025-9490

CVE, Research URL

CVE-2025-9490

Date
Sep 26, 2025
Research Description
The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.20.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.21.0.
Status
vulnerable
Jun 13, 2026

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # CVE-2023-33999

CVE, Research URL

CVE-2023-33999

Date
Jun 11, 2026
Research Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Affected versions
max 1.10.0.
Status
vulnerable
Jun 16, 2026

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # 6ff37c2e-e21d-4abc-bafe-8ca6a2c1ed76

Date
-
Research Description
Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.8.3 Freemius Library &lt; 2.2.4 - Subscriber+ Arbitrary Option Update The library, used in numerous plugins, does not have proper authorisation when updating blog options, allowing any authenticated users, such as subscriber to update arbitrary options
Affected versions
max 1.8.3.
Status
vulnerable

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # 138af3136b67b000f20b74ce5d3071ef77150667

Date
Sep 26, 2022
Research Description
Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.16.9 Popup Maker <= 1.16.8 - Authenticated (Contributor+) Cross-Site Scripting The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup body content in versions up to, and including, 1.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.16.9.
Status
vulnerable

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # 7e57cd4f4859826de00a8e2b09ee24fb7f2d824b

Date
Feb 25, 2019
Research Description
Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.8.3 Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update The Freemius SDK for WordPress is vulnerable to authorization bypass due to a missing capability check on the _get_db_option and _set_db_option functions in versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change site settings and potentially take over the site.
Affected versions
max 1.8.3.
Status
vulnerable

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # 474920b53a3f66864948949f8baa9e89ab06023b

Date
Mar 08, 2023
Research Description
Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.1 Popup Maker <= 1.18.0 - Cross-Site Request Forgery via init The Popup Maker plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.18.0. This is due to missing or incorrect nonce validation on the 'init' function. This makes it possible for unauthenticated attackers to flush the popup cache via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.18.1.
Status
vulnerable

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # c5aa28f4a3ad15c66fb8396a3d2622eb4d13577b

Date
Mar 09, 2023
Research Description
Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.1 WordPress Popup Maker Plugin <= 1.18.0 is vulnerable to Cross Site Request Forgery (CSRF) Update the WordPress Popup Maker plugin to the latest available version (at least 1.18.1). Unknown discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Popup Maker Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 1.18.1.
Affected versions
max 1.18.1.
Status
vulnerable
Jul 09, 2026

Popup Maker &#8211; Popup for opt-ins, lead gen, &amp; more # CVE-2026-8848

CVE, Research URL

CVE-2026-8848

Date
Jul 09, 2026
Research Description
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with editor-level access and above, to install and activate an arbitrary plugin from an attacker-controlled URL, leading to remote code execution. Exploitation requires that a valid Popup Maker Pro license is active on the target site and that Popup Maker Pro is not yet installed, as these conditions are necessary for the legacy v1/connect/info endpoint to issue the bearer token used to satisfy the install endpoint's only non-spoofable validation check.
Affected versions
max 1.23.0.
Status
vulnerable