CVE-2026-8848
Received Received - Intake

Authorization Bypass in Popup Maker WordPress Plugin

Vulnerability report for CVE-2026-8848, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with editor-level access and above, to install and activate an arbitrary plugin from an attacker-controlled URL, leading to remote code execution. Exploitation requires that a valid Popup Maker Pro license is active on the target site and that Popup Maker Pro is not yet installed, as these conditions are necessary for the legacy v1/connect/info endpoint to issue the bearer token used to satisfy the install endpoint's only non-spoofable validation check.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
popup_maker popup_maker to 1.22.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Popup Maker WordPress plugin (versions up to and including 1.22.0) and is an authorization bypass issue. It occurs because the plugin does not properly verify if a user is authorized to perform certain actions.

This flaw allows authenticated users with editor-level access or higher to install and activate arbitrary plugins from attacker-controlled URLs. This can lead to remote code execution on the affected site.

Exploitation requires that the target site has a valid Popup Maker Pro license active and that Popup Maker Pro is not yet installed. These conditions allow the attacker to obtain a bearer token needed to bypass validation checks.

Impact Analysis

This vulnerability can have severe impacts including unauthorized installation and activation of plugins by users who should not have such privileges.

Since it can lead to remote code execution, attackers could potentially take full control of the affected WordPress site, leading to data theft, site defacement, or further compromise.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart