The Instant Popup Builder plugin for WordPress is affected by a flaw that allows any unauthenticated user to inject and execute arbitrary registered shortcodes. The vulnerability arises in the handle_email_verification_page() function, which concatenates user‑supplied GET parameters (token and email) into a shortcode string and passes it to WordPress’s do_shortcode() function without proper sanitization of square bracket characters. The sanitization functions used do not strip or escape brackets, and an authorization check is missing for the init hook. The result is that a malicious token containing a closing bracket can prematurely terminate a legitimate shortcode tag, allowing the attacker to insert and run arbitrary shortcode syntax. This weakness is classified as CWE‑862. The impact is that an attacker can execute any shortcode that is registered on the target site, potentially leading to data disclosure, unauthorized code execution, or other malicious actions depending on the shortcodes available.

All WordPress sites that have the Instant Popup Builder plugin installed with a version equal to or older than 1.1.7 are vulnerable. The affected vendor product is "Instant Popup Builder – Powerful Popup Maker for Opt‑ins, Email Newsletters & Lead Generation". Any instance of this plugin that has not been upgraded beyond the stated version is potentially exploitable.

The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated HTTP GET request to the email‑verification page with a crafted token parameter; no additional privileges are required. Because the attacker can execute any shortcode present on the site, the potential impact ranges from content manipulation to code execution, depending on the site’s configuration and installed plugins. The risk is therefore significant enough to warrant prompt action, especially in environments where the plugin is actively used.