Description
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible for unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-forcing the unsubscribe token, granted they know the victim's email address
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass leading to unauthorized subscriber removal
Action: Apply Patch
AI Analysis

Impact

Popup Builder for WordPress has a flaw where unsubscribe tokens are generated deterministically. An unauthenticated attacker can guess a token if the victim’s email address is known and use it to remove an arbitrary subscriber from a mailing list. This bypasses the plugin’s authorization checks and results in data modification (unsubscribing a user) without valid credentials. The weakness is classified as CWE‑1241, an improper authorization issue.

Affected Systems

The vulnerability affects all versions of the Popup Builder – Create highly converting, mobile friendly marketing popups. plugin up to and including 4.4.2, which is installed on WordPress sites that have not yet upgraded beyond that release.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, while the EPSS score of less than 1% suggests the chance of exploitation is low. The flaw is not currently listed in the CISA KEV catalog. Because the token is predictable and the attack requires only a known email address, an unauthenticated attacker can perform the removal by sending a simple HTTP request to the unsubscribe endpoint, possibly using brute force enumeration of the token space. The attack would be feasible if the endpoint is publicly accessible, but the overall likelihood remains low given the limited token space and the need for victim email knowledge.

Generated by OpenCVE AI on April 21, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Popup Builder to the latest version (≥4.4.3) to fix the predictable token issue.
  • If an upgrade cannot be applied immediately, restrict access to the unsubscribe endpoint so that only authenticated users can remove subscribers, or enforce rate limiting on the endpoint to mitigate brute‑force attempts.
  • Audit mailing lists for unauthorized removals and, if necessary, restore removed subscribers from backups or re‑subscribe users who were accidentally unsubscribed.

Generated by OpenCVE AI on April 21, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Popupbuilder
Popupbuilder popup Builder – Create Highly Converting, Mobile Friendly Marketing Popups.
Wordpress
Wordpress wordpress
Vendors & Products Popupbuilder
Popupbuilder popup Builder – Create Highly Converting, Mobile Friendly Marketing Popups.
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible for unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-forcing the unsubscribe token, granted they know the victim's email address
Title Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens
Weaknesses CWE-1241
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Popupbuilder Popup Builder – Create Highly Converting, Mobile Friendly Marketing Popups.
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:08.174Z

Reserved: 2025-11-12T16:38:13.590Z

Link: CVE-2025-13079

cve-icon Vulnrichment

Updated: 2026-02-19T17:23:16.247Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:29.823

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:00:13Z

Weaknesses