Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter

The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handle_email_verification_page() function constructing a shortcode string from user-supplied GET parameters (token, email) and passing it to do_shortcode() without properly sanitizing square bracket characters, combined with missing authorization checks on the init hook. While sanitize_text_field() and esc_attr() are applied, neither function strips or escapes square bracket characters ([ and ]). WordPress's shortcode regex uses [^\]\/]* to match content inside shortcode tags, meaning a ] character in the token value prematurely closes the shortcode tag. This makes it possible for unauthenticated attackers to inject and execute arbitrary registered shortcodes by crafting a malicious token parameter containing ] followed by arbitrary shortcode syntax.

Back to Feed View Plugin Hub Open CVE Reference

Published

Mar 18, 2026

Last Updated

Mar 18, 2026

Slug

instant-popup-builder

Risk Profile

5.3 CVSS Score

Weakness

Missing Authorization

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Researchers

theviper17y

Operational Summary

What the operator needs to know

Share Email

Patch Status

Patched release is available

Remediation

Update to version 1.1.8, or a newer patched version

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/979962e3-9052-4dc9-94d0-3ec8de3d5460?source=api-prod

Detailed Metadata

Software Type	Plugin
Software Slug	instant-popup-builder View on wordpress.org
CVE	CVE-2026-3475
Patched Versions	1.1.8
Affected Versions	*-1.1.7

Licensing Notices

This record contains material that is subject to copyright

DEFIANT

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more

MITRE

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more