GCVE - cpe:2.3:a:themehunk:wp_popup_builder:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:themehunk:wp_popup_builder:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Themehunk (`b3cb38a5-b275-5673-a051-0d6ce3409958`)
Product	Wp Popup Builder (`eec566a7-09a3-54e7-849e-c82dc2810239`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/themehunk/wp-popup-builder`	purl2cpe	2026-06-01 10:13:13.174498

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-62902`	vulnerable	2026-06-03 15:09:35.703433	WordPress WP Popup Builder plugin <= 1.3.8 - Sensitive Data Exposure vulnerability MEDIUM (5.3) Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/a through <= 1.3.8. Published: 2025-10-27T01:33:50.531Z Updated: 2026-04-28T16:14:05.156Z Open on db.gcve.eu Reference links https://patchstack.com/database/Wordpress/Plugin/wp-popup-builder/vulnerability/wordpress-wp-popup-builder-plugin-1-3-6-sensitive-data-exposure-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-9061`	vulnerable	2026-06-03 14:58:20.397528	WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add HIGH (7.3) The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access. Published: 2024-10-16T07:31:49.028Z Updated: 2026-04-08T16:35:08.118Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/0cac1dc0-87dc-43eb-9db1-638a91200b43?source=cve https://plugins.trac.wordpress.org/changeset/3166506/wp-popup-builder	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.