CVE-2026-8848 in Popup Maker Plugin
Summary
by MITRE • 07/09/2026
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.22.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with editor-level access and above, to install and activate an arbitrary plugin from an attacker-controlled URL, leading to remote code execution. Exploitation requires that a valid Popup Maker Pro license is active on the target site and that Popup Maker Pro is not yet installed, as these conditions are necessary for the legacy v1/connect/info endpoint to issue the bearer token used to satisfy the install endpoint's only non-spoofable validation check.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability affects the Popup Maker WordPress plugin, specifically targeting versions up to and including 1.22.0, creating a critical authorization bypass flaw that enables authenticated attackers with editor-level privileges or higher to execute remote code. The core technical weakness stems from insufficient user authorization verification within the plugin's codebase, allowing malicious actors to circumvent intended security controls. The vulnerability manifests through the improper validation of user permissions during plugin installation operations, effectively undermining the WordPress permission model and creating a pathway for unauthorized modifications.
The exploitation chain requires specific conditions to be met, including an active Popup Maker Pro license on the target system and the absence of Popup Maker Pro installation, as these prerequisites enable the legacy v1/connect/info endpoint to generate a bearer token. This token serves as the sole non-spoofable validation mechanism for the install endpoint, making the vulnerability conditionally dependent on the plugin's licensing state and installation status. The attack vector leverages the legitimate plugin functionality to install arbitrary plugins from attacker-controlled URLs, bypassing normal WordPress security measures that would typically prevent such unauthorized installations.
From a cybersecurity perspective, this vulnerability represents a significant threat to WordPress environments as it allows for remote code execution through seemingly legitimate plugin management functions. The authorization bypass directly violates principle of least privilege and proper access control mechanisms that should protect against authenticated users performing actions beyond their designated permissions. The attack requires only editor-level access or higher, making it particularly dangerous in environments where multiple user roles exist with varying permission levels.
The operational impact of this vulnerability extends beyond simple unauthorized plugin installation, as the ability to install arbitrary plugins from remote sources creates opportunities for malware deployment, backdoor establishment, and complete system compromise. This type of vulnerability falls under CWE-284 which specifically addresses improper access control issues, and aligns with ATT&CK technique T1059 for command and scripting interpreter usage. The vulnerability demonstrates how legitimate plugin features can be abused to create persistent threats within WordPress environments.
Organizations should immediately update to patched versions of the Popup Maker plugin to remediate this vulnerability, as there are no effective workarounds that maintain the plugin's functionality while addressing the authorization bypass issue. Security teams should monitor for suspicious plugin installations and verify the integrity of all installed plugins against known good hashes or digital signatures. The vulnerability highlights the importance of proper input validation and authentication checks in web applications, particularly those that handle administrative functions or user privilege escalation scenarios. Regular security audits of WordPress plugins and their update processes are essential to prevent exploitation of similar authorization bypass vulnerabilities in other components of the WordPress ecosystem.