WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Popup Maker safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Popup Maker WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: popup-maker
  • Requires PHP: 7.4+
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.8.13 [CVE-2019-17574, Popup-Maker <= 1.8.12 - Unauthenticated information disclosure, Popup-Maker &lt; 1.8.12 - Multiple Vulnerabilities]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.6.5 [CVE-2017-2284, WordPress plugin "Popup Maker" vulnerable to cross-site scripting, WordPress Popup Maker plugin <=1.6.4 - Authenticated Cross-Site Scripting (XSS) vulnerability, Popup Maker < 1.6.5 - Reflected Cross-Site Scripting, Popup Maker &lt;= 1.6.4 - Authenticated Cross-Site Scripting (XSS)]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.16.5 [CVE-2022-1104, WordPress Popup Maker plugin <= 1.16.4 - Stored Cross-Site Scripting (XSS) vulnerability, Popup Maker <= 1.16.4 - Authenticated (Admin+) Cross-Site Scripting, Popup Maker &lt; 1.16.5 - Admin+ Stored Cross-Site Scripting]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.8.3 [Freemius Library &lt; 2.2.4 - Subscriber+ Arbitrary Option Update]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.16.11 [CVE-2022-3690, WordPress Popup Maker plugin <= 1.16.10 - Auth. Stored Cross-Site Scripting (XSS) vulnerability, Popup Maker <= 1.16.10 - Authenticated (Administrator+) Stored Cross-Site Scripting, Popup Maker &lt; 1.16.11 - Admin+ Stored Cross Site Scripting]
+ 18 more known vulnerabilities
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.16.9 [Popup Maker <= 1.16.8 - Authenticated (Contributor+) Cross-Site Scripting]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.8.3 [Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.16.9 [CVE-2022-4362, Popup Maker <= 1.16.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode, WordPress Popup Maker Plugin < 1.16.9 is vulnerable to Cross Site Scripting (XSS), Popup Maker &lt; 1.16.9 - Contributor+ Stored XSS via Shortcode]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.16.9 [CVE-2022-4381, WordPress Popup Maker Plugin < 1.16.9 is vulnerable to Cross Site Scripting (XSS), Popup Maker &lt; 1.16.9 - Contributor+ Stored XSS via Subscription Form]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.1 [Popup Maker <= 1.18.0 - Cross-Site Request Forgery via init]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.1 [WordPress Popup Maker Plugin <= 1.18.0 is vulnerable to Cross Site Request Forgery (CSRF)]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.0 [CVE-2022-47597, WordPress Popup Maker Plugin <= 1.17.1 is vulnerable to Sensitive Data Exposure, Popup Maker <= 1.17.1 - Sensitive Data Exposure via debug log file]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.0 [CVE-2022-45819, WordPress Popup Maker Plugin <= 1.17.1 is vulnerable to Broken Access Control, Popup Maker <= 1.17.1 - Missing Authorization via save_popup_enabled_state]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.10.0 [CVE-2023-33999, WordPress Popup Maker Plugin <= 1.9.2 is vulnerable to Cross Site Scripting (XSS)]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.18.3 [CVE-2024-2336, Popup Maker – Popup for opt-ins, lead gen, & more <= 1.18.2 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress Popup Maker Plugin <= 1.18.2 is vulnerable to Cross Site Scripting (XSS), Popup Maker &ndash; Popup for opt-ins, lead gen, &amp; more &lt; 1.18.3 - Contributor+ Stored XSS]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.19.1 [CVE-2024-7054, WordPress Popup Maker Plugin <= 1.19.0 is vulnerable to Cross Site Scripting (XSS), Popup Maker <= 1.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.19.1 [CVE-2024-5561, WordPress Popup Maker Plugin < 1.19.1 is vulnerable to Cross Site Scripting (XSS), Popup Maker <= 1.19.0 - Authenticated (Admin+) Stored Cross-Site Scripting]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.20.0 [CVE-2024-47358, WordPress Popup Maker Plugin <= 1.19.2 is vulnerable to Broken Access Control, Popup Maker <= 1.19.2 - Missing Authorization]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.20.3 [CVE-2024-10583, Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder <= 1.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.20.3 [CVE-2025-24746, WordPress Popup Maker Plugin <= 1.20.2 is vulnerable to Cross Site Scripting (XSS), Popup Maker <= 1.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2025-3935]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.20.5 [CVE-2025-4205, Popup Maker <= 1.20.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via popupID Parameter, EUVD-2025-16719]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.21.0 [Popup Maker <= 1.20.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter, EUVD-2025-31215, Popup Maker <= 1.20.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter]
  • Popup Maker &#8211; Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder [popup-maker] < 1.23.0 [CVE-2026-8848, Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder <= 1.22.0 - Missing Authorization to Authenticated (Editor+) Arbitrary Plugin Installation]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.