Skip to main content

Popup Maker Boost Sales Conversions Optins Subscribers With The Ultimate Wp Popup Builder

1 CVEs product

Monthly

CVE-2026-8848 HIGH This Week

Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass WordPress RCE Popup Maker Boost Sales Conversions Optins Subscribers With The Ultimate Wp Popup Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.7%
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass WordPress RCE +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy