| CVE-2026-39666 | WordPress Hello Bar Popup Builder plugin <= 1.5.1 - Cross Site Scripting (XSS) vulnerability | telepathy | Hello Bar Popup Builder | - | - | 2026-04-08 08:30:38 | Deep Dive |
| CVE-2025-13535 | King Addons for Elementor <= 51.1.38 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Widgets | kingaddons | King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder | Medium | 6.4 | 2026-04-01 14:37:34 | Deep Dive |
| CVE-2025-13997 | King Addons for Elementor <= 51.1.49 - Unauthenticated API Keys Disclosure | kingaddons | King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder | Medium | 5.3 | 2026-03-23 06:41:08 | Deep Dive |
| CVE-2024-13785 | Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution | reputeinfosystems | Contact Form, Survey, Quiz & Popup Form Builder – ARForms | Medium | 5.6 | 2026-03-21 03:26:54 | Deep Dive |
| CVE-2026-3475 | Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter | instantpopupbuilder | Instant Popup Builder – Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generation | Medium | 5.3 | 2026-03-19 07:34:56 | Deep Dive |
| CVE-2025-13079 | Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens | popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. | Medium | 5.3 | 2026-02-19 03:25:15 | Deep Dive |
| CVE-2025-14895 | PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | Medium | 5.4 | 2026-02-10 09:26:06 | Deep Dive |
| CVE-2025-13192 | Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | High | 8.2 | 2026-02-04 23:22:57 | Deep Dive |
| CVE-2025-14506 | ConvertForce Popup Builder <= 0.0.7 - Stored Cross-Site Scripting via entrance_animation | imtiazrayhan | ConvertForce Popup Builder | Medium | 6.4 | 2026-01-10 11:22:39 | Deep Dive |
| CVE-2025-12449 | aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification | kodezen | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | Medium | 5.4 | 2026-01-07 07:17:34 | Deep Dive |
| CVE-2025-14441 | Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | Medium | 4.3 | 2026-01-06 04:31:56 | Deep Dive |
| CVE-2025-11370 | Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates | averta | Depicter — Popup & Slider Builder | Medium | 5.3 | 2026-01-06 03:21:40 | Deep Dive |
| CVE-2025-9856 | Popup Builder – Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting | popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. | Medium | 6.4 | 2025-12-13 08:21:15 | Deep Dive |
| CVE-2025-14446 | Popup Builder <= 1.1.37 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Reset | ghozylab | Easy Notify Lite | Medium | 5.4 | 2025-12-13 04:31:34 | Deep Dive |
| CVE-2025-11373 | Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload | averta | Depicter — Popup & Slider Builder | Medium | 4.3 | 2025-11-05 06:35:01 | Deep Dive |
| CVE-2025-8383 | Depicter <= 4.0.4 - Cross-Site Request Forgery | averta | Depicter — Popup & Slider Builder | Medium | 4.3 | 2025-10-31 08:25:56 | Deep Dive |
| CVE-2025-62902 | WordPress WP Popup Builder plugin <= 1.3.8 - Sensitive Data Exposure vulnerability | ThemeHunk | WP Popup Builder | Medium | 5.3 | 2025-10-27 01:33:51 | Deep Dive |
| CVE-2025-10861 | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.4 - Unauthenticated Server-Side Request Forgery | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | High | 7.5 | 2025-10-24 11:25:46 | Deep Dive |
| CVE-2025-10862 | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.3 - Unauthenticated SQL Injection via 'id' | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | High | 7.5 | 2025-10-09 08:23:17 | Deep Dive |
| CVE-2025-9490 | Popup Maker <= 1.20.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter | danieliser | Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder | Medium | 6.4 | 2025-09-26 05:27:21 | Deep Dive |