WPLift is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

Weekly WordPress News: Major Vulnerability in WordPress Popup Maker Affects Over 700,000 Websites

Last Updated on January 12th, 2023


The U.S. government National Vulnerability Database issued an advisory about a Stored Cross-Site Scripting vulnerability in the popular Popup Maker plugin for WordPress.

Popup Maker for WordPress:
A vulnerability was discovered in the “Popup Maker” WordPress plugin, which is installed in over 700,000 websites. This plugin integrates with many contact forms and is designed to drive conversions in WooCommerce stores and email newsletter signups. Despite being released in 2021, it has earned over 4,000 five-star reviews.

Popup Maker Vulnerability:
This plugin is vulnerable to stored cross-site scripting (XSS). A malicious script is uploaded to the server and stored there, hence the name “stored.” XSS vulnerabilities occur when input data is not properly sanitised, resulting in a lack of control over what can be uploaded. This vulnerability can be exploited if a hacker gains access to a user with at least contributor-level credentials.

Cause & Solution:
Stored XSS vulnerabilities can have severe consequences, including site takeover and user data exposure. There was an update to fix the issue, but a bug was introduced in the patch. To avoid problems, update to the latest version (V1.17.1).




A team of WordPress experts that love to test out new WordPress related software, WordPress plugins and WordPress themes.