Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WordPress Popup Builder Plugin Allows Unauthorized Email Unsubscribes
CVE-2025-13079
Summary
A security flaw in the WordPress Popup Builder plugin allows hackers to remove people from email lists without permission. This can happen if the attacker knows the person's email address. To protect your email list, update the plugin to a version higher than 4.4.2.
Original title
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due t...
Original description
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible for unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-forcing the unsubscribe token, granted they know the victim's email address
nvd CVSS3.1
5.3
Vulnerability type
CWE-1241
- https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.2/com/classes/...
- https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.2/com/helpers/...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/62b29721-0580-4e1d-824...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026