Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total17
Critical1
High5
Medium11
Reset
Showing 1-17 of 17 records
Threat Entry Updated 2026-02-19

CVE-2025-13079 - Popup Builder Plugin

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible for unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-forcing the unsubscribe token, granted they know the victim's email address

PLUGIN Popup Builder

CVE-2025-13079

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-9856 - Popup Builder Plugin

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Popup Builder

CVE-2025-9856

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-9428 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Popup Builder

CVE-2024-9428

MEDIUM CVSS 4.8 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2024-09-09

CVE-2024-2541 - Popup Builder Plugin

The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers.

PLUGIN Popup Builder

CVE-2024-2541

MEDIUM CVSS 5.3 2024-08-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3602 - Popup Builder Plugin

The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection.

PLUGIN Popup Builder

CVE-2024-3602

MEDIUM CVSS 4.3 2024-06-20
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-3236 - Popup Builder Plugin

The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Popup Builder

CVE-2024-3236

MEDIUM CVSS 5.4 2024-06-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6696 - Popup Builder Plugin

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery.

PLUGIN Popup Builder

CVE-2023-6696

HIGH CVSS 8.1 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2544 - Popup Builder Plugin

The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorized actions, such as deleting subscribers, and importing subscribers to conduct stored cross-site scripting attacks.

PLUGIN Popup Builder

CVE-2024-2544

HIGH CVSS 7.4 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2025-04-24

CVE-2023-6294 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.

PLUGIN Popup Builder

CVE-2023-6294

HIGH CVSS 7.2 2024-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-18

CVE-2023-6000 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

PLUGIN Popup Builder

CVE-2023-6000

MEDIUM CVSS 6.1 2024-01-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3226 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Popup Builder

CVE-2023-3226

MEDIUM CVSS 4.8 2023-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1894 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is disallowed

PLUGIN Popup Builder

CVE-2022-1894

MEDIUM CVSS 4.8 2022-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0479 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link

PLUGIN Popup Builder

CVE-2022-0479

CRITICAL CVSS 9.8 2022-03-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0228 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection

PLUGIN Popup Builder

CVE-2022-0228

HIGH CVSS 7.2 2022-02-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25082 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR

PLUGIN Popup Builder

CVE-2021-25082

HIGH CVSS 8.8 2022-02-21
Open Full Technical Breakdown
Scroll to top