GCVE - cpe:2.3:a:themehunk:wp_popup_builder:*:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:themehunk:wp_popup_builder:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Themehunk (`b3cb38a5-b275-5673-a051-0d6ce3409958`)
Product	Wp Popup Builder (`eec566a7-09a3-54e7-849e-c82dc2810239`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/themehunk/wp-popup-builder`	purl2cpe	2026-06-01 10:13:13.181847

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-62902`	vulnerable	2026-06-03 15:09:35.704444	WordPress WP Popup Builder plugin <= 1.3.8 - Sensitive Data Exposure vulnerability MEDIUM (5.3) Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/a through <= 1.3.8. Published: 2025-10-27T01:33:50.531Z Updated: 2026-04-28T16:14:05.156Z Open on db.gcve.eu Reference links https://patchstack.com/database/Wordpress/Plugin/wp-popup-builder/vulnerability/wordpress-wp-popup-builder-plugin-1-3-6-sensitive-data-exposure-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-9061`	vulnerable	2026-06-03 14:58:20.399523	WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add HIGH (7.3) The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access. Published: 2024-10-16T07:31:49.028Z Updated: 2026-04-08T16:35:08.118Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/0cac1dc0-87dc-43eb-9db1-638a91200b43?source=cve https://plugins.trac.wordpress.org/changeset/3166506/wp-popup-builder	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-2405`	vulnerable	2026-06-03 14:47:06.278429	WP Popup Builder < 1.3.0 - Subscriber+ Arbitrary Popup Deletion The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup Published: 2022-09-26T12:35:34.000Z Updated: 2025-05-21T19:19:27.568Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/50037028-2790-47ee-aae1-faf0724eb917	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-2404`	vulnerable	2026-06-03 14:47:06.277863	WP Popup Builder < 1.2.9 - Reflected Cross-Site Scripting The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting Published: 2022-09-26T12:35:33.000Z Updated: 2025-05-21T19:20:21.761Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/0d889dde-b9d5-46cf-87d3-4f8a85cf9b98	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.