Back to overview

CVE-2026-8848

HIGH
7.2
CVSS 3.1
Description
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with editor-level access and above, to install and activate an arbitrary plugin from an attacker-controlled URL, leading to remote code execution. Exploitation requires that a valid Popup Maker Pro license is active on the target site and that Popup Maker Pro is not yet installed, as these conditions are necessary for the legacy v1/connect/info endpoint to issue the bearer token used to satisfy the install endpoint's only non-spoofable validation check.

Metadata

CVE ID
CVE-2026-8848
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-05-18 15:45 UTC
Published
2026-07-09 07:55 UTC
Last updated
2026-07-09 12:49 UTC
Primary CWE
CWE-862
CWE-862 Missing Authorization
Vendor / Product
danieliser / Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder
Sources
cve.org  ·  NVD

Severity & Metrics

7.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
danieliser Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder 0 ≤ 1.22.0
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862 Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Back to overview