CVE-2026-3475
Received Received - Intake
Unauthenticated Arbitrary Shortcode Execution in Instant Popup Builder Plugin

Publication date: 2026-03-19

Last updated on: 2026-03-19

Assigner: Wordfence

Description
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handle_email_verification_page() function constructing a shortcode string from user-supplied GET parameters (token, email) and passing it to do_shortcode() without properly sanitizing square bracket characters, combined with missing authorization checks on the init hook. While sanitize_text_field() and esc_attr() are applied, neither function strips or escapes square bracket characters ([ and ]). WordPress's shortcode regex uses [^\]\/]* to match content inside shortcode tags, meaning a ] character in the token value prematurely closes the shortcode tag. This makes it possible for unauthenticated attackers to inject and execute arbitrary registered shortcodes by crafting a malicious token parameter containing ] followed by arbitrary shortcode syntax.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3475
EUVD
EUVD-2026-13074
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wordfence instant_popup_builder to 1.1.7 (inc)
wordfence instant_popup_builder 1.1.8
wordfence instant_popup_subscription 1.1.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Instant Popup Builder WordPress plugin (up to version 1.1.7) allows unauthenticated attackers to execute arbitrary registered shortcodes. This happens because the function handle_email_verification_page() constructs a shortcode string from user-supplied GET parameters (token, email) and passes it to do_shortcode() without properly sanitizing square bracket characters ([ and ]).

Since sanitize_text_field() and esc_attr() do not remove or escape square brackets, an attacker can inject a ] character in the token parameter to prematurely close the shortcode tag and then append malicious shortcode syntax. There are also missing authorization checks on the init hook, which means no authentication is required to exploit this.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to inject and execute arbitrary shortcodes within the WordPress site using the Instant Popup Builder plugin. This can lead to unauthorized actions being performed on the site, such as manipulating content, triggering unintended plugin functionality, or potentially escalating to further attacks depending on the registered shortcodes available.

The CVSS score of 5.3 (medium severity) indicates that the impact is limited to integrity (I:L) with no direct impact on confidentiality or availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests to the Instant Popup Builder plugin's email verification page that include suspicious or malformed GET parameters, especially the 'token' parameter containing square bracket characters (e.g., ] followed by shortcode syntax). Such requests may indicate attempts to exploit the unauthenticated arbitrary shortcode execution vulnerability.

A practical approach is to search web server logs for requests to URLs containing the 'token' parameter with square brackets or unusual shortcode patterns.

  • Use grep or similar tools to find suspicious requests in access logs, for example:
  • grep -E 'token=.*\[|token=.*\]' /var/log/apache2/access.log
  • grep -i 'instant-popup-builder.*token=' /var/log/nginx/access.log

Additionally, monitoring for unexpected shortcode execution or unusual shortcode-related errors in WordPress debug logs may help detect exploitation attempts.

Mitigation Strategies

The immediate and most effective mitigation is to update the Instant Popup Builder plugin to version 1.1.8 or later, which includes security fixes addressing this vulnerability.

Version 1.1.8 improves input sanitization, fixes issues related to verification and unsubscribe links, and ensures safe handling of verification pages to prevent code injection.

If updating immediately is not possible, consider temporarily disabling the plugin or restricting access to the email verification page to trusted users only.

Also, monitor your logs for suspicious activity as described earlier and apply web application firewall (WAF) rules to block requests containing suspicious shortcode injection patterns.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart