Login

Tag Archives: Popup Builder

Plugin Security Scorecard Grade for Popup Builder

Checked on September 28, 2024
C+

See issues causing the plugin to get less than A+ grade

22 Apr 2025

WordPress Plugin Security Review: Popup Builder

For our 47th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Popup Builder.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]

20 Feb 2020

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Popup Builder

While recent report of a claimed cross-site scripting (XSS) vulnerability in Popup Builder by Mehran Feizi, has a proof of concept that doesn’t work or to have even been tested, there is in fact a reflected XSS vulnerability that exists if the relevant code is accessed differently.

[Read more]

18 Oct 2019

Not Really a WordPress Plugin Vulnerability, Week of October 18

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross Site Scripting in FooGallery, Popup Builder, and Soliloquy

Related claimed cross site scripting vulnerabilities in the plugins FooGallery, Popup Builder, and Soliloquy involve a common cause of false reports of persistent cross-site scripting (XSS) vulnerabilities, people not understanding that WordPress allows users with the unfiltered_html capability to do the equivalent of XSS. In this case if you follow the instruction you find that you are entering the XSS code in the title of a custom WordPress post, which is permitted to happen for users with the unfiltered_html capability, but is not permitted for those without that. [Read more]

6 Aug 2019

Vulnerability Details: Authenticated SQL Injection in Popup Builder

Today Fortinet released a misleading “Zero-Day Advisory” about a vulnerability in the plugin Popup Builder. What is described is not a zero-day and the description is missing key information that would let everyone know that the issue is of limited concern (they have repeatedly failed to mention that type of information in recent reports of claimed vulnerabilities in WordPress plugins). Here is what they describe the issue as:

[Read more]