CVE-2026-3475
Unauthenticated Arbitrary Shortcode Execution in Instant Popup Builder Plugin
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | instant_popup_builder | to 1.1.7 (inc) |
| wordfence | instant_popup_builder | 1.1.8 |
| wordfence | instant_popup_subscription | 1.1.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Instant Popup Builder WordPress plugin (up to version 1.1.7) allows unauthenticated attackers to execute arbitrary registered shortcodes. This happens because the function handle_email_verification_page() constructs a shortcode string from user-supplied GET parameters (token, email) and passes it to do_shortcode() without properly sanitizing square bracket characters ([ and ]).
Since sanitize_text_field() and esc_attr() do not remove or escape square brackets, an attacker can inject a ] character in the token parameter to prematurely close the shortcode tag and then append malicious shortcode syntax. There are also missing authorization checks on the init hook, which means no authentication is required to exploit this.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to inject and execute arbitrary shortcodes within the WordPress site using the Instant Popup Builder plugin. This can lead to unauthorized actions being performed on the site, such as manipulating content, triggering unintended plugin functionality, or potentially escalating to further attacks depending on the registered shortcodes available.
The CVSS score of 5.3 (medium severity) indicates that the impact is limited to integrity (I:L) with no direct impact on confidentiality or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests to the Instant Popup Builder plugin's email verification page that include suspicious or malformed GET parameters, especially the 'token' parameter containing square bracket characters (e.g., ] followed by shortcode syntax). Such requests may indicate attempts to exploit the unauthenticated arbitrary shortcode execution vulnerability.
A practical approach is to search web server logs for requests to URLs containing the 'token' parameter with square brackets or unusual shortcode patterns.
- Use grep or similar tools to find suspicious requests in access logs, for example:
- grep -E 'token=.*\[|token=.*\]' /var/log/apache2/access.log
- grep -i 'instant-popup-builder.*token=' /var/log/nginx/access.log
Additionally, monitoring for unexpected shortcode execution or unusual shortcode-related errors in WordPress debug logs may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to update the Instant Popup Builder plugin to version 1.1.8 or later, which includes security fixes addressing this vulnerability.
Version 1.1.8 improves input sanitization, fixes issues related to verification and unsubscribe links, and ensures safe handling of verification pages to prevent code injection.
If updating immediately is not possible, consider temporarily disabling the plugin or restricting access to the email verification page to trusted users only.
Also, monitor your logs for suspicious activity as described earlier and apply web application firewall (WAF) rules to block requests containing suspicious shortcode injection patterns.