Vulnerabilities and security researches forwp-popup-builder wp-popup-builder

Jun 07, 2024

CVE, Research URL: CVE-2022-2405
Home page URL: Security reports for WP Popup Builder – Popup Forms and Marketing Lead Generation
Application: WP Popup Builder – Popup Forms and Marketing Lead Generation
Date: Sep 26, 2022
Research Description: The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup
Affected versions: max 1.3.0.
Status: vulnerable

CVE, Research URL: CVE-2022-2404
Home page URL: Security reports for WP Popup Builder – Popup Forms and Marketing Lead Generation
Application: WP Popup Builder – Popup Forms and Marketing Lead Generation
Date: Sep 26, 2022
Research Description: The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
Affected versions: max 1.2.9.
Status: vulnerable

Oct 17, 2024

CVE, Research URL: CVE-2024-9061
Home page URL: Security reports for WP Popup Builder – Popup Forms and Marketing Lead Generation
Application: WP Popup Builder – Popup Forms and Marketing Lead Generation
Date: Oct 16, 2024
Research Description: The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
Affected versions: max 1.3.6.
Status: vulnerable

Nov 11, 2025

CVE, Research URL: CVE-2025-62902
Home page URL: Security reports for WP Popup Builder – Popup Forms and Marketing Lead Generation
Application: WP Popup Builder – Popup Forms and Marketing Lead Generation
Date: Oct 27, 2025
Research Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/a through <= 1.3.6.
Affected versions: max 1.3.6.
Status: vulnerable