CVE-2026-3475 in Instant Popup Builder Plugin
Summary
by MITRE • 03/19/2026
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handle_email_verification_page() function constructing a shortcode string from user-supplied GET parameters (token, email) and passing it to do_shortcode() without properly sanitizing square bracket characters, combined with missing authorization checks on the init hook. While sanitize_text_field() and esc_attr() are applied, neither function strips or escapes square bracket characters ([ and ]). WordPress's shortcode regex uses [^\]\/]* to match content inside shortcode tags, meaning a ] character in the token value prematurely closes the shortcode tag. This makes it possible for unauthenticated attackers to inject and execute arbitrary registered shortcodes by crafting a malicious token parameter containing ] followed by arbitrary shortcode syntax.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
The vulnerability identified as CVE-2026-3475 affects the Instant Popup Builder plugin for WordPress, presenting a critical security risk through unauthenticated arbitrary shortcode execution. This flaw exists in all versions up to and including 1.1.7, making it particularly concerning given the widespread use of WordPress plugins. The vulnerability stems from improper input validation and sanitization within the handle_email_verification_page() function, which processes user-supplied GET parameters to construct shortcode strings. The plugin's failure to adequately sanitize square bracket characters creates a pathway for attackers to manipulate the shortcode parsing mechanism.
The technical implementation of this vulnerability involves the construction of shortcode strings from user-provided token and email parameters without proper sanitization of square bracket characters. While the plugin does apply sanitize_text_field() and esc_attr() functions to the input data, these sanitization methods do not effectively remove or escape the bracket characters that are essential for shortcode syntax. WordPress's shortcode parsing mechanism utilizes regular expressions that employ the pattern [^\]\/]* to match content within shortcode tags, which means that a closing bracket character within the token value prematurely terminates the shortcode tag. This parsing behavior enables attackers to craft malicious payloads where a ] character in the token parameter effectively closes the shortcode tag and allows subsequent content to be interpreted as additional shortcode syntax.
The operational impact of this vulnerability is severe as it allows unauthenticated attackers to execute arbitrary registered shortcodes on affected WordPress installations. This capability extends beyond simple code injection to potentially enable full compromise of the affected systems, as attackers can leverage registered shortcodes to perform actions such as data exfiltration, privilege escalation, or even remote code execution depending on the functionality of the registered shortcodes. The vulnerability operates through the init hook without proper authorization checks, meaning that any user can trigger the malicious shortcode execution simply by crafting a specific URL parameter. This lack of authentication validation combined with the shortcode parsing flaw creates a direct path for exploitation that requires no prior access or credentials.
Security mitigations for this vulnerability should focus on immediate remediation through plugin updates to versions that properly sanitize square bracket characters from user input before processing. The recommended approach involves implementing proper input validation that strips or escapes all bracket characters from user-supplied parameters before they are passed to the do_shortcode() function. Additionally, the plugin should enforce proper authorization checks on the init hook to ensure that only authenticated users can trigger the email verification page functionality. Organizations should also consider implementing network-level protections such as web application firewalls that can detect and block malicious shortcode injection attempts. This vulnerability aligns with CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection) categories, while the attack vector maps to ATT&CK technique T1059.008 (Command and Scripting Interpreter: PowerShell) through potential exploitation of registered shortcode functions that may execute system commands or access sensitive data. The remediation process should include thorough testing of the patched version to ensure that legitimate functionality remains intact while the security vulnerability is fully addressed.