Popup Builder – Create highly converting, mobile friendly marketing popups. WordPress Plugin Security Vulnerabilities | WPScan

20

October 25, 2025

200000

Published

2025-12-12

Title

Popup Builder – Create highly converting, mobile friendly marketing popups. < 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 4.4.2

CVSS

6.4 (medium)

Published

2024-11-21

Title

Popup Builder < 4.3.5 - Admin+ Stored XSS

Fixed in

Fixed in 4.3.5

CVSS

3.5 (low)

Published

2024-08-28

Title

Popup Builder < 4.3.7 - Sensitive Information Exposure via Imported Subscribers CSV File

Fixed in

Fixed in 4.3.7

CVSS

5.3 (medium)

Published

2024-06-14

Title

Popup Builder < 4.3.2 - Missing Authorization in Multiple AJAX Actions

Fixed in

Fixed in 4.3.2

CVSS

7.4 (high)

Published

2024-06-14

Title

Popup Builder – Create highly converting, mobile friendly marketing popups < 4.3.2 - Missing Authorization and Nonce Exposure

Fixed in

Fixed in 4.3.2

CVSS

8.1 (high)

Published

2024-05-31

Title

Popup Builder < 4.3.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS

Fixed in

Fixed in 4.3.0

CVSS

6.4 (medium)

Published

2024-03-25

Title

Popup Builder < 4.2.7 - Contributor Stored XSS

Fixed in

Fixed in 4.2.7

CVSS

5.9 (medium)

Published

2024-01-17

Title

popup-builder < 4.2.6 - Admin+ SSRF & File Read

Fixed in

Fixed in 4.2.6

CVSS

4.1 (medium)

Published

2023-12-11

Title

Popup Builder < 4.2.3 - Unauthenticated Stored XSS

Fixed in

Fixed in 4.2.3

CVSS

8.8 (high)

Published

2023-08-28

Title

Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 4.2.0

CVSS

3.5 (low)

Published

2022-06-30

Title

Popup Builder < 4.1.12 - Settings Update via CSRF

Fixed in

Fixed in 4.1.12

CVSS

4.3 (medium)

Published

2022-06-20

Title

Popup Builder < 4.1.11 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 4.1.11

CVSS

3.4 (low)

Published

2022-06-17

Title

Popup Builder < 4.1.1 - Popup Status Change via CSRF

Fixed in

Fixed in 4.1.1

CVSS

4.3 (medium)

Published

2022-03-07

Title

Popup Builder < 4.1.1 - SQL Injection to Reflected Cross-Site Scripting

Fixed in

Fixed in 4.1.1

CVSS

6.1 (medium)

Published

2022-01-24

Title

Popup Builder < 4.0.7 - Admin+ SQL Injection

Fixed in

Fixed in 4.0.7

CVSS

6.8 (medium)

Published

2022-01-24

Title

Popup Builder < 4.0.7 - LFI to RCE

Fixed in

Fixed in 4.0.7

CVSS

9.9 (critical)

Published

2021-02-02

Title

Popup Builder < 3.74 - Authenticated Reflected Cross-Site Scripting (XSS)

Fixed in

Fixed in 3.74

CVSS

6.1 (medium)

Published

2020-03-12

Title

Popup Builder < 3.64.1 - Multiple Issues

Fixed in

Fixed in 3.64.1

CVSS

6.3 (medium)

Published

2020-02-16

Title

Popup Builder < 3.0 - SQL injection via PHP Deserialization

Fixed in

Fixed in 3.0

CVSS

9.8 (critical)

Published

2019-08-06

Title

Popup Builder <= 3.44 - SQL Injection

Fixed in

Fixed in 3.45

CVSS

9.8 (critical)