WordPress Plugin Vulnerabilities

Popup Builder < 4.4.3 - Unauthenticated Subscriber Removal via Predictable Tokens

Description

The plugin is vulnerable to authorization bypass due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible for unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-forcing the unsubscribe token, granted they know the victim's email address

Affects Plugins

Plugin icon
popup-builder
Fixed in 4.4.3

References

CVE
CVE-2025-13079
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/62b29721-0580-4e1d-824d-9b8355890248

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
0afce36d-aa56-4eb7-865d-d30aeff21f1f

Timeline

Publicly Published
2026-02-18 (about 2 months ago)
Added
2026-02-18 (about 2 months ago)
Last Updated
2026-02-18 (about 2 months ago)

Other

Published
Title
Published
2025-08-21
Title
Wp Edit Password Protected < 1.3.5 - Protection Bypass via REST API
Published
2019-10-14
Title
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
Published
2020-04-11
Title
Tickera WordPress Event Ticketing < 3.4.6.9 - Unauthenticated Sensitive Data Exposure
Published
2015-03-12
Title
Custom Field Suite <= 2.4 - Insufficient Authorisation
Published
2017-12-12
Title
Rating-Widget: Star Review System < 2.9.0 - Enable Debugging